diff --git a/dev/domain/esql-evaluations/aws_bedrock.ts b/dev/domain/esql-evaluations/aws_bedrock.ts
new file mode 100644
index 00000000000..e3b51f2abef
--- /dev/null
+++ b/dev/domain/esql-evaluations/aws_bedrock.ts
@@ -0,0 +1,67 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_bedrockEvaluations = {
+  integration: "aws_bedrock",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:sts:*:assumed-role/*", "assumed_role",
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:iam:*:user/*", "iam_user",
+    null
+  ),
+  service.target.sub_type = CASE(
+    service.target.sub_type IS NOT NULL, service.target.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, "foundation_model",
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock.guardrails" AND aws_bedrock.guardrails.operation IS NOT NULL, aws_bedrock.guardrails.operation,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock.invocation" AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, gen_ai.request.model.id,
+    null
+  ),
+  service.target.type = CASE(
+    service.target.type IS NOT NULL, service.target.type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.type IS NOT NULL, gen_ai.request.model.type,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/aws_bedrock_agentcore.ts b/dev/domain/esql-evaluations/aws_bedrock_agentcore.ts
new file mode 100644
index 00000000000..4ba81848979
--- /dev/null
+++ b/dev/domain/esql-evaluations/aws_bedrock_agentcore.ts
@@ -0,0 +1,99 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_bedrock_agentcoreEvaluations = {
+  integration: "aws_bedrock_agentcore",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"), "user",
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs", "service",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs", "agentcore_gateway",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, "general",
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, "tool_target",
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs", "runtime_endpoint",
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.memory_strategy IS NOT NULL, aws.bedrock_agentcore.memory.memory_strategy,
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.request_payload.actor_id IS NOT NULL, aws.bedrock_agentcore.request_payload.actor_id,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.actor_id IS NOT NULL, aws.bedrock_agentcore.memory.actor_id,
+    null
+  ),
+  service.id = CASE(
+    service.id IS NOT NULL, service.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.resource_arn IS NOT NULL, aws.bedrock_agentcore.gateway.resource_arn,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.operation IS NOT NULL, aws.bedrock_agentcore.operation,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.operation_name IS NOT NULL, aws.bedrock_agentcore.memory.operation_name,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.resource_arn IS NOT NULL, aws.bedrock_agentcore.resource_arn,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.resource_arn IS NOT NULL, aws.bedrock_agentcore.memory.resource_arn,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND service.name IS NOT NULL, service.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, aws.bedrock_agentcore.gateway.target,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/aws_cloudtrail_otel.ts b/dev/domain/esql-evaluations/aws_cloudtrail_otel.ts
new file mode 100644
index 00000000000..728e45c33f6
--- /dev/null
+++ b/dev/domain/esql-evaluations/aws_cloudtrail_otel.ts
@@ -0,0 +1,63 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_cloudtrail_otelEvaluations = {
+  integration: "aws_cloudtrail_otel",
+  evaluations: [
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type IN ("IAMUser", "AssumedRole", "FederatedUser", "Root", "IdentityCenterUser") AND aws.principal.arn IS NOT NULL, aws.principal.arn,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AssumedRole" AND aws.user_identity.session_context.issuer.user_name IS NOT NULL, aws.user_identity.session_context.issuer.user_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.cloudtrail.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AWSService" AND aws.user_identity.invoked_by IS NOT NULL, aws.user_identity.invoked_by,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IS NOT NULL, rpc.method,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "GetCallerIdentity" AND rpc.service IS NOT NULL, rpc.service,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IN ("PutObject", "GetObject") AND rpc.service IS NOT NULL, rpc.service,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/aws_securityhub.ts b/dev/domain/esql-evaluations/aws_securityhub.ts
new file mode 100644
index 00000000000..7c071e8e196
--- /dev/null
+++ b/dev/domain/esql-evaluations/aws_securityhub.ts
@@ -0,0 +1,75 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_securityhubEvaluations = {
+  integration: "aws_securityhub",
+  evaluations: [
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  service.id = CASE(
+    service.id IS NOT NULL, service.id,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.uid,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.name,
+    null
+  ),
+  service.type = CASE(
+    service.type IS NOT NULL, service.type,
+    data_stream.dataset == "aws_securityhub.finding", "service",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.ip,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::Lambda::Function", resource.id,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::IAM::User", user.id,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "aws_securityhub.finding"
+      AND resource.type != "AWS::EC2::Instance"
+      AND resource.type != "AWS::Lambda::Function"
+      AND resource.type != "AWS::IAM::User", resource.id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws_securityhub.finding", resource.type,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "aws_securityhub.finding", "cloud_resource",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/aws_vpcflow_otel.ts b/dev/domain/esql-evaluations/aws_vpcflow_otel.ts
new file mode 100644
index 00000000000..dbc426d38c4
--- /dev/null
+++ b/dev/domain/esql-evaluations/aws_vpcflow_otel.ts
@@ -0,0 +1,76 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_vpcflow_otelEvaluations = {
+  integration: "aws_vpcflow_otel",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL, "service",
+    data_stream.dataset == "aws.vpcflow.otel", "host",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.name = CASE(
+    host.name IS NOT NULL, host.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.action IS NOT NULL, aws.vpc.flow.action,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL, aws.vpc.flow.destination.service,
+    data_stream.dataset == "aws.vpcflow.otel" AND network.protocol.name IS NOT NULL, network.protocol.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/azure_ai_foundry.ts b/dev/domain/esql-evaluations/azure_ai_foundry.ts
new file mode 100644
index 00000000000..099bb8c954a
--- /dev/null
+++ b/dev/domain/esql-evaluations/azure_ai_foundry.ts
@@ -0,0 +1,72 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const azure_ai_foundryEvaluations = {
+  integration: "azure_ai_foundry",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.ai_foundry.properties.object_id,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", source.ip,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.caller_ip_address,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.operation_id,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.resource.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_request_body.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.resource.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_request_body.model,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_response_body.id,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/azure_app_service.ts b/dev/domain/esql-evaluations/azure_app_service.ts
new file mode 100644
index 00000000000..340211b1cf4
--- /dev/null
+++ b/dev/domain/esql-evaluations/azure_app_service.ts
@@ -0,0 +1,98 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const azure_app_serviceEvaluations = {
+  integration: "azure_app_service",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.email IS NOT NULL OR user.name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"), "host",
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"), "web_app",
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", "url_path",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user_display_name,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user_display_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs" AND azure.app_service.properties.cs_username != "-", azure.app_service.properties.cs_username,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.app_service.properties.client_ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"), azure.app_service.operation_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_method,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.resource.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.resource.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceIPSecAuditLogs", azure.app_service.properties.cs_host,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_host,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.resource.provider,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_uri_stem,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/azure_openai.ts b/dev/domain/esql-evaluations/azure_openai.ts
new file mode 100644
index 00000000000..107e69c5819
--- /dev/null
+++ b/dev/domain/esql-evaluations/azure_openai.ts
@@ -0,0 +1,66 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const azure_openaiEvaluations = {
+  integration: "azure_openai",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.open_ai.properties.object_id,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", source.ip,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.caller_ip_address,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category IN ("Audit", "RequestResponse"), azure.open_ai.operation_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.operation_id,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.resource.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.properties.model_deployment_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.backend_request_body.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.resource.name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.properties.model_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.backend_response_body.model,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/buildEnrichmentQuery.ts b/dev/domain/esql-evaluations/buildEnrichmentQuery.ts
new file mode 100644
index 00000000000..5f8a064e81f
--- /dev/null
+++ b/dev/domain/esql-evaluations/buildEnrichmentQuery.ts
@@ -0,0 +1,112 @@
+import { allIntegrationEvaluations } from "./registry";
+import type { IntegrationEvaluations } from "./types";
+import {
+  formatCaseAssignment,
+  mergeAssignments,
+  parseEvalSnippet,
+  type ParsedAssignment,
+} from "./mergeEval";
+
+/** Pipeline phases merged into one `| EVAL` each (`detection_flags` is skipped). */
+export const ENRICHMENT_PHASES = [
+  "actor",
+  "event_action",
+  "target",
+  "optional_classification",
+] as const;
+
+export type EnrichmentPhase = (typeof ENRICHMENT_PHASES)[number];
+
+export interface BuildEnrichmentQueryOptions {
+  /**
+   * Integration package codes to include (e.g. `["slack", "openai"]`).
+   * Default: all integrations with at least one evaluation snippet.
+   */
+  integrations?: readonly string[];
+  /**
+   * Output columns to omit from every `| EVAL` phase (e.g. `["host.ip", "host.target.ip"]`).
+   * Default: none skipped.
+   */
+  skipColumns?: readonly string[];
+}
+
+function defaultIntegrationIds(): string[] {
+  return Object.entries(allIntegrationEvaluations)
+    .filter(([, mod]) => mod.evaluations.length > 0)
+    .map(([id]) => id)
+    .sort();
+}
+
+function resolveModules(ids: readonly string[]): IntegrationEvaluations[] {
+  const missing: string[] = [];
+  const modules: IntegrationEvaluations[] = [];
+
+  for (const id of ids) {
+    const mod = allIntegrationEvaluations[id as keyof typeof allIntegrationEvaluations];
+    if (!mod) {
+      missing.push(id);
+      continue;
+    }
+    if (mod.evaluations.length > 0) {
+      modules.push(mod);
+    }
+  }
+
+  if (missing.length > 0) {
+    throw new Error(`Unknown integration(s): ${missing.join(", ")}`);
+  }
+
+  return modules;
+}
+
+function mergePhase(modules: IntegrationEvaluations[], phase: EnrichmentPhase): ParsedAssignment[] {
+  const byColumn = new Map<string, ParsedAssignment>();
+
+  for (const mod of modules) {
+    const snippet = mod.evaluations.find((e) => e.id === phase);
+    if (!snippet) {
+      continue;
+    }
+
+    for (const assignment of parseEvalSnippet(snippet.esql)) {
+      const existing = byColumn.get(assignment.column);
+      byColumn.set(
+        assignment.column,
+        existing ? mergeAssignments(existing, assignment) : assignment,
+      );
+    }
+  }
+
+  return [...byColumn.entries()]
+    .sort(([a], [b]) => a.localeCompare(b))
+    .map(([, assignment]) => assignment);
+}
+
+/** Integration codes that have at least one evaluation snippet. */
+export function listIntegrationsWithEvaluations(): string[] {
+  return defaultIntegrationIds();
+}
+
+/**
+ * Build a paste-ready ES|QL enrichment pipeline at runtime.
+ * Merges per-integration `| EVAL` snippets by column (dataset guards stay in each CASE branch).
+ */
+export function buildEnrichmentQuery(options: BuildEnrichmentQueryOptions = {}): string {
+  const integrationIds = options.integrations ?? defaultIntegrationIds();
+  const modules = resolveModules(integrationIds);
+  const skip = new Set(options.skipColumns ?? []);
+
+  const lines: string[] = [];
+
+  for (const phase of ENRICHMENT_PHASES) {
+    const assignments = mergePhase(modules, phase).filter((a) => !skip.has(a.column));
+    if (assignments.length === 0) {
+      continue;
+    }
+
+    const body = assignments.map(formatCaseAssignment).join(",\n");
+    lines.push(`| EVAL\n${body}`);
+  }
+
+  return `${lines.join("\n")}\n`;
+}
diff --git a/dev/domain/esql-evaluations/checkpoint_email.ts b/dev/domain/esql-evaluations/checkpoint_email.ts
new file mode 100644
index 00000000000..2a7a2b62457
--- /dev/null
+++ b/dev/domain/esql-evaluations/checkpoint_email.ts
@@ -0,0 +1,101 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const checkpoint_emailEvaluations = {
+  integration: "checkpoint_email",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.email IS NOT NULL OR user.name IS NOT NULL OR user.domain IS NOT NULL
+    OR source.user.email IS NOT NULL OR source.user.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL OR entity.target.type IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.email IS NOT NULL, source.user.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.email IS NOT NULL, destination.user.email,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.name IS NOT NULL, source.user.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.name IS NOT NULL, destination.user.name,
+    null
+  ),
+  user.domain = CASE(
+    user.domain IS NOT NULL, user.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.domain IS NOT NULL, source.user.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.domain IS NOT NULL, destination.user.domain,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IS NOT NULL, checkpoint_email.event.type,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.email IS NOT NULL, destination.user.email,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.name IS NOT NULL, destination.user.name,
+    null
+  ),
+  user.target.domain = CASE(
+    user.target.domain IS NOT NULL, user.target.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.domain IS NOT NULL, destination.user.domain,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.entity_id IS NOT NULL, checkpoint_email.event.entity_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "checkpoint_email.event" AND email.subject IS NOT NULL, email.subject,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing"), "user",
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly", "service",
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "shadow_it", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND destination.user.email IS NOT NULL, "email_recipient",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly" AND checkpoint_email.event.saas IS NOT NULL, checkpoint_email.event.saas,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/cisco_meraki.ts b/dev/domain/esql-evaluations/cisco_meraki.ts
new file mode 100644
index 00000000000..cfe4a93414a
--- /dev/null
+++ b/dev/domain/esql-evaluations/cisco_meraki.ts
@@ -0,0 +1,96 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const cisco_merakiEvaluations = {
+  integration: "cisco_meraki",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_subtype == "anyconnect_vpn_session_manager" AND cisco_meraki.anyconnect_vpn_session_manager.user_name IS NOT NULL, cisco_meraki.anyconnect_vpn_session_manager.user_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_meraki.log" AND source.ip IS NOT NULL AND user.name IS NULL, source.ip,
+    data_stream.dataset == "cisco_meraki.log" AND client.ip IS NOT NULL AND client.ip != "0.0.0.0" AND user.name IS NULL, client.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_start", "ip-flow-start",
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_end", "ip-flow-end",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_meraki.log" AND network.forwarded_ip IS NOT NULL, network.forwarded_ip,
+    data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL, destination.ip,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.anyconnect_vpn_session_manager.peer_ip IS NOT NULL, cisco_meraki.anyconnect_vpn_session_manager.peer_ip,
+    data_stream.dataset == "cisco_meraki.events" AND cisco_meraki.event.alertData.local IS NOT NULL, cisco_meraki.event.alertData.local,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-8021x-auth" AND \`cisco_meraki.8021x_eap_success.vap\` IS NOT NULL, \`cisco_meraki.8021x_eap_success.vap\`,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-wpa-authentication" AND cisco_meraki.wpa_auth.vap IS NOT NULL, cisco_meraki.wpa_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "splash-authentication" AND cisco_meraki.splash_auth.vap IS NOT NULL, cisco_meraki.splash_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error", "ids-signature-matched") AND network.protocol IS NOT NULL, network.protocol,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("dhcp-offer", "dhcp-no-offer") AND server.mac IS NOT NULL, server.mac,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("rogue-ssid-detected", "ssid-spoofing-detected") AND destination.mac IS NOT NULL, destination.mac,
+    data_stream.dataset == "cisco_meraki.events" AND observer.serial_number IS NOT NULL, observer.serial_number,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error") AND url.domain IS NOT NULL, url.domain,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("malicious-file-actioned", "issued-retrospective-malicious-disposition") AND file.name IS NOT NULL, file.name,
+    data_stream.dataset == "cisco_meraki.events" AND observer.name IS NOT NULL, observer.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"), "service",
+    data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL, "host",
+    data_stream.dataset == "cisco_meraki.events", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"), "wifi_vap",
+    data_stream.dataset == "cisco_meraki.events", "managed_device",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/cisco_secure_email_gateway.ts b/dev/domain/esql-evaluations/cisco_secure_email_gateway.ts
new file mode 100644
index 00000000000..c43a52808bc
--- /dev/null
+++ b/dev/domain/esql-evaluations/cisco_secure_email_gateway.ts
@@ -0,0 +1,120 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const cisco_secure_email_gatewayEvaluations = {
+  integration: "cisco_secure_email_gateway",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR client.ip IS NOT NULL OR host.ip IS NOT NULL
+    OR service.name IS NOT NULL OR observer.vendor IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"), "service",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL, "user",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND file.name IS NOT NULL, "general",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND url.path IS NOT NULL, "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"), null,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL, "email_message",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND file.name IS NOT NULL, "file",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND url.path IS NOT NULL, "web_resource",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs", "system"), user.name,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces"), email.from.address,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces", "error_logs") AND email.from.address IS NOT NULL, email.from.address,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs", client.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "error_logs"), source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus", observer.vendor,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND http.request.method IS NOT NULL, http.request.method,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "consolidated_event" AND cisco_secure_email_gateway.log.act IS NOT NULL, cisco_secure_email_gateway.log.act,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus" AND cisco_secure_email_gateway.log.type IS NOT NULL, cisco_secure_email_gateway.log.type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "mail_logs" AND cisco_secure_email_gateway.log.message_status IS NOT NULL, cisco_secure_email_gateway.log.message_status,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "bounces" AND cisco_secure_email_gateway.log.bounce_type IS NOT NULL, cisco_secure_email_gateway.log.bounce_type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs") AND cisco_secure_email_gateway.log.action IS NOT NULL, cisco_secure_email_gateway.log.action,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"), "Cisco Secure Email Gateway",
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL, email.message_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("amp", "antivirus") AND file.name IS NOT NULL, file.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.subject IS NOT NULL, email.subject,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND url.path IS NOT NULL, url.path,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "system", cisco_secure_email_gateway.log.object,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/cisco_umbrella.ts b/dev/domain/esql-evaluations/cisco_umbrella.ts
new file mode 100644
index 00000000000..886765b1fc7
--- /dev/null
+++ b/dev/domain/esql-evaluations/cisco_umbrella.ts
@@ -0,0 +1,81 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const cisco_umbrellaEvaluations = {
+  integration: "cisco_umbrella",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("dns", "proxy", "firewall", "idps", "dlp") AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL, network.name,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL, "network-segment",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL, cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL, cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL, file.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration", "configuration_object",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns", "dns_name",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL, "file",
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "firewall", "idps", "dlp") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "idps" AND cisco.umbrella.message IS NOT NULL, cisco.umbrella.message,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND network.application IS NOT NULL, network.application,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/citrix_waf.ts b/dev/domain/esql-evaluations/citrix_waf.ts
new file mode 100644
index 00000000000..83f3fd362f1
--- /dev/null
+++ b/dev/domain/esql-evaluations/citrix_waf.ts
@@ -0,0 +1,76 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const citrix_wafEvaluations = {
+  integration: "citrix_waf",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR source.ip IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL
+    OR entity.target.type IS NOT NULL OR entity.target.sub_type IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "citrix_waf.log" AND citrix.name == "CMD_EXECUTED", "ADM_User",
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "citrix_waf.log" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false) AND citrix.name IS NOT NULL, citrix.name,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND http.request.id IS NOT NULL, http.request.id,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL, CONCAT(url.domain, url.path),
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "API", "Citrix ADC management API",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "APPFW" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false), "Citrix NetScaler APPFW",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true, "service",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id IN ("API", "APPFW"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL, "protected_web_app",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/corelight.ts b/dev/domain/esql-evaluations/corelight.ts
new file mode 100644
index 00000000000..39530c4d670
--- /dev/null
+++ b/dev/domain/esql-evaluations/corelight.ts
@@ -0,0 +1,93 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const corelightEvaluations = {
+  integration: "corelight",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight", "files") AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    event.dataset == "http" AND user_agent.original IS NOT NULL, user_agent.original,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    event.dataset == "notice" AND notice.note IS NOT NULL, notice.note,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL, rule.name,
+    event.dataset == "http" AND http.request.method IS NOT NULL, http.request.method,
+    event.dataset == "dns" AND dns.question.type IS NOT NULL, dns.question.type,
+    event.dataset == "rdp" AND rdp.result IS NOT NULL, rdp.result,
+    event.dataset == "ssh" AND ssh.inferences IS NOT NULL, ssh.inferences,
+    event.dataset == "vpn" AND vpn.inferences IS NOT NULL, vpn.inferences,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    event.dataset == "conn" AND capture_source == "vpcflow" AND resp_inst.id IS NOT NULL, resp_inst.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    event.dataset == "files" AND files.rx_hosts IS NOT NULL, files.rx_hosts,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    event.dataset IN ("conn", "notice", "tls", "rdp") AND network.protocol IS NOT NULL, network.protocol,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    event.dataset == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    event.dataset == "http" AND dest_host IS NOT NULL, dest_host,
+    event.dataset == "intel" AND intel.seen.indicator IS NOT NULL, intel.seen.indicator,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL, rule.name,
+    event.dataset == "notice" AND notice.note IS NOT NULL, notice.note,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    event.dataset == "dns", "domain",
+    event.dataset == "http", "url",
+    event.dataset == "intel", "indicator",
+    event.dataset == "suricata_corelight", "ids_rule",
+    event.dataset == "notice", "notice",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/cyera.ts b/dev/domain/esql-evaluations/cyera.ts
new file mode 100644
index 00000000000..c14fbd7b52d
--- /dev/null
+++ b/dev/domain/esql-evaluations/cyera.ts
@@ -0,0 +1,86 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const cyeraEvaluations = {
+  integration: "cyera",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent", "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", "cloud_datastore",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", "policy",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent", "issue",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent", "m365_remediation",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "cyera.event" AND user.name IS NULL, "Cyera",
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IS NOT NULL, cyera.event.type,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cyera.event.datastore.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", cyera.event.policy.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent", cyera.event.issue.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent", cyera.event.issue.uid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cyera.event.datastore.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", cyera.event.policy.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IN ("IssueStatusChangedToClosedEvent", "M365SensitivityLabelRemediationFinishedEvent"), cyera.event.policy.name,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cloud.service.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/darktrace.ts b/dev/domain/esql-evaluations/darktrace.ts
new file mode 100644
index 00000000000..f5cb86d0986
--- /dev/null
+++ b/dev/domain/esql-evaluations/darktrace.ts
@@ -0,0 +1,65 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const darktraceEvaluations = {
+  integration: "darktrace",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR host.hostname IS NOT NULL OR host.mac IS NOT NULL OR host.type IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.name = CASE(
+    host.name IS NOT NULL, host.name,
+    STARTS_WITH(data_stream.dataset, "darktrace.") AND host.hostname IS NOT NULL, host.hostname,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "darktrace.model_breach_alert" AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser IS NOT NULL, darktrace.ai_analyst_alert.summariser,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL, darktrace.system_status_alert.alert_name,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.name IS NOT NULL, darktrace.system_status_alert.name,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL, darktrace.system_status_alert.alert_name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "darktrace.system_status_alert", "platform_module",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser == "AdminConnSummary", "SSH",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/enrichmentQuery.esql b/dev/domain/esql-evaluations/enrichmentQuery.esql
new file mode 100644
index 00000000000..d7cfc0f37ed
--- /dev/null
+++ b/dev/domain/esql-evaluations/enrichmentQuery.esql
@@ -0,0 +1,1359 @@
+| EVAL
+  entity.id = CASE(
+    entity.id IS NOT NULL,
+    entity.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND client.user.id IS NOT NULL,
+    client.user.id,
+    data_stream.dataset == "microsoft_dhcp.log" AND microsoft.dhcp.duid.hex IS NOT NULL,
+    microsoft.dhcp.duid.hex,
+    data_stream.dataset == "microsoft_dhcp.log" AND source.mac IS NOT NULL AND source.mac != "00-00-00-00-00-00",
+    source.mac,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL,
+    openai.base.api_key_id,
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions") AND openai.base.project_id IS NOT NULL AND openai.base.project_id != "",
+    openai.base.project_id,
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL,
+    client.user.id,
+    data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.uuid IS NOT NULL,
+    misp.orgc.uuid,
+    data_stream.dataset == "ti_misp.threat_attributes" AND user.email IS NULL AND misp.event.orgc_id IS NOT NULL,
+    TO_STRING(misp.event.orgc_id),
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL,
+    entity.name,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL,
+    network.name,
+    event.dataset == "http" AND user_agent.original IS NOT NULL,
+    user_agent.original,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL,
+    host.hostname,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL,
+    MV_FIRST(infoblox_bloxone_ddi.dns_data.source),
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL,
+    source.domain,
+    data_stream.dataset == "ping_one.audit" AND client.user.name IS NOT NULL,
+    client.user.name,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.process_path IS NOT NULL,
+    prisma_cloud.incident_audit.data.process_path,
+    data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.name IS NOT NULL,
+    misp.orgc.name,
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL,
+    entity.sub_type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL,
+    "config-source",
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL,
+    "pingone_application",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL,
+    "reporting_user",
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL,
+    entity.type,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL,
+    "network-segment",
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease",
+    "host",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL,
+    "general",
+    data_stream.dataset == "microsoft_dhcp.log" AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND event.action != "rogue-server-detection",
+    "host",
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL,
+    "api_key",
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions"),
+    "project",
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL,
+    "application",
+    data_stream.dataset == "prisma_cloud.incident_audit",
+    "process",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL,
+    "user",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NULL,
+    "organization",
+    null
+  ),
+  host.id = CASE(
+    host.id IS NOT NULL,
+    host.id,
+    data_stream.dataset == "snort.log" AND source.ip IS NOT NULL,
+    TO_STRING(source.ip),
+    data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.mac IS NOT NULL,
+    source.mac,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip"),
+    TO_STRING(destination.ip),
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL,
+    TO_STRING(source.ip),
+    null
+  ),
+  host.mac = CASE(
+    host.mac IS NOT NULL,
+    host.mac,
+    data_stream.dataset == "suricata.eve" AND source.mac IS NOT NULL,
+    source.mac,
+    null
+  ),
+  host.name = CASE(
+    host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL,
+    source.address,
+    STARTS_WITH(data_stream.dataset, "darktrace.") AND host.hostname IS NOT NULL,
+    host.hostname,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action != "rogue-server-detection" AND event.code != "1103" AND source.address IS NOT NULL,
+    source.address,
+    null
+  ),
+  service.id = CASE(
+    service.id IS NOT NULL,
+    service.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.resource_arn IS NOT NULL,
+    aws.bedrock_agentcore.gateway.resource_arn,
+    data_stream.dataset == "aws_securityhub.finding",
+    aws_securityhub.finding.metadata.product.uid,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL,
+    service.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AWSService" AND aws.user_identity.invoked_by IS NOT NULL,
+    aws.user_identity.invoked_by,
+    data_stream.dataset == "aws_securityhub.finding",
+    aws_securityhub.finding.metadata.product.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus",
+    observer.vendor,
+    data_stream.dataset == "cyera.event" AND user.name IS NULL,
+    "Cyera",
+    data_stream.dataset == "jamf_pro.events" AND event.action != "RestAPIOperation",
+    "Jamf Pro",
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source IS NOT NULL,
+    qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL,
+    "Snyk",
+    data_stream.dataset == "snyk.issues",
+    "Snyk",
+    data_stream.dataset IN ("sysdig.cspm", "sysdig.vulnerability"),
+    "Sysdig Secure",
+    data_stream.dataset IN ("wiz.vulnerability", "wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture"),
+    "Wiz",
+    null
+  ),
+  service.type = CASE(
+    service.type IS NOT NULL,
+    service.type,
+    data_stream.dataset == "aws_securityhub.finding",
+    "service",
+    null
+  ),
+  user.domain = CASE(
+    user.domain IS NOT NULL,
+    user.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.domain IS NOT NULL,
+    source.user.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.domain IS NOT NULL,
+    destination.user.domain,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL,
+    user.email,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs",
+    azure.app_service.properties.user_display_name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.email IS NOT NULL,
+    source.user.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.email IS NOT NULL,
+    destination.user.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces", "error_logs") AND email.from.address IS NOT NULL,
+    email.from.address,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL,
+    client.user.email,
+    null
+  ),
+  user.id = CASE(
+    user.id IS NOT NULL,
+    user.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.request_payload.actor_id IS NOT NULL,
+    aws.bedrock_agentcore.request_payload.actor_id,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.actor_id IS NOT NULL,
+    aws.bedrock_agentcore.memory.actor_id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type IN ("IAMUser", "AssumedRole", "FederatedUser", "Root", "IdentityCenterUser") AND aws.principal.arn IS NOT NULL,
+    aws.principal.arn,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit",
+    azure.ai_foundry.properties.object_id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs",
+    azure.app_service.properties.user,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit",
+    azure.open_ai.properties.object_id,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs", "system"),
+    user.name,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.id IS NOT NULL,
+    client.user.id,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.additional_fields.SourceAccountSid IS NOT NULL,
+    m365_defender.event.additional_fields.SourceAccountSid,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_sid IS NOT NULL,
+    m365_defender.event.initiating_process.account_sid,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.user_id IS NOT NULL,
+    openai.base.user_id,
+    data_stream.dataset == "prisma_cloud.audit" AND user.email IS NOT NULL,
+    user.email,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND user.name IS NOT NULL,
+    user.name,
+    data_stream.dataset == "salesforce.setupaudittrail",
+    salesforce.setup_audit_trail.created_by_id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall",
+    sysdig.content.fields.user.uid,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL,
+    user.email,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.id IS NOT NULL,
+    wiz.audit.service_account.id,
+    data_stream.dataset IN ("zscaler_zia.audit", "zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.dns", "zscaler_zia.endpoint_dlp"),
+    user.email,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL,
+    user.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AssumedRole" AND aws.user_identity.session_context.issuer.user_name IS NOT NULL,
+    aws.user_identity.session_context.issuer.user_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs",
+    azure.app_service.properties.user_display_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs" AND azure.app_service.properties.cs_username != "-",
+    azure.app_service.properties.cs_username,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.name IS NOT NULL,
+    source.user.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.name IS NOT NULL,
+    destination.user.name,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_subtype == "anyconnect_vpn_session_manager" AND cisco_meraki.anyconnect_vpn_session_manager.user_name IS NOT NULL,
+    cisco_meraki.anyconnect_vpn_session_manager.user_name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces"),
+    email.from.address,
+    data_stream.dataset == "citrix_waf.log" AND citrix.name == "CMD_EXECUTED",
+    "ADM_User",
+    data_stream.dataset IN ("forgerock.am_authentication", "forgerock.idm_authentication"),
+    MV_FIRST(forgerock.principal),
+    data_stream.dataset == "fortinet_fortigate.log" AND source.user.name IS NOT NULL,
+    source.user.name,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL,
+    client.user.email,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.performer.type == "user",
+    user.full_name,
+    user.name IS NOT NULL AND event.action == "RestAPIOperation",
+    user.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation",
+    jamf_pro.events.event.authorized_username,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_name IS NOT NULL,
+    m365_defender.event.initiating_process.account_name,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND process.user.name IS NOT NULL,
+    process.user.name,
+    data_stream.dataset == "microsoft_intune.audit" AND user.email IS NOT NULL,
+    user.email,
+    data_stream.dataset IN ("salesforce.login", "salesforce.logout"),
+    user.email,
+    data_stream.dataset == "slack.audit",
+    user.full_name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall",
+    sysdig.content.fields.user.name,
+    data_stream.dataset == "tanium.action_history",
+    tanium.action_history.issuer,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL,
+    user.email,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.name IS NOT NULL,
+    wiz.audit.service_account.name,
+    null
+  )
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL,
+    event.action,
+    data_stream.dataset == "aws_bedrock.guardrails" AND aws_bedrock.guardrails.operation IS NOT NULL,
+    aws_bedrock.guardrails.operation,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.operation IS NOT NULL,
+    aws.bedrock_agentcore.operation,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.operation_name IS NOT NULL,
+    aws.bedrock_agentcore.memory.operation_name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IS NOT NULL,
+    rpc.method,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.action IS NOT NULL,
+    aws.vpc.flow.action,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit",
+    azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse",
+    azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs",
+    azure.ai_foundry.properties.operation_id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"),
+    azure.app_service.operation_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs",
+    azure.app_service.properties.cs_method,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category IN ("Audit", "RequestResponse"),
+    azure.open_ai.operation_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs",
+    azure.open_ai.properties.operation_id,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IS NOT NULL,
+    checkpoint_email.event.type,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_start",
+    "ip-flow-start",
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_end",
+    "ip-flow-end",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND http.request.method IS NOT NULL,
+    http.request.method,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "consolidated_event" AND cisco_secure_email_gateway.log.act IS NOT NULL,
+    cisco_secure_email_gateway.log.act,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus" AND cisco_secure_email_gateway.log.type IS NOT NULL,
+    cisco_secure_email_gateway.log.type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "mail_logs" AND cisco_secure_email_gateway.log.message_status IS NOT NULL,
+    cisco_secure_email_gateway.log.message_status,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "bounces" AND cisco_secure_email_gateway.log.bounce_type IS NOT NULL,
+    cisco_secure_email_gateway.log.bounce_type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs") AND cisco_secure_email_gateway.log.action IS NOT NULL,
+    cisco_secure_email_gateway.log.action,
+    data_stream.dataset == "citrix_waf.log" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false) AND citrix.name IS NOT NULL,
+    citrix.name,
+    event.dataset == "notice" AND notice.note IS NOT NULL,
+    notice.note,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL,
+    rule.name,
+    event.dataset == "http" AND http.request.method IS NOT NULL,
+    http.request.method,
+    event.dataset == "dns" AND dns.question.type IS NOT NULL,
+    dns.question.type,
+    event.dataset == "rdp" AND rdp.result IS NOT NULL,
+    rdp.result,
+    event.dataset == "ssh" AND ssh.inferences IS NOT NULL,
+    ssh.inferences,
+    event.dataset == "vpn" AND vpn.inferences IS NOT NULL,
+    vpn.inferences,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IS NOT NULL,
+    cyera.event.type,
+    data_stream.dataset == "darktrace.model_breach_alert" AND rule.name IS NOT NULL,
+    rule.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser IS NOT NULL,
+    darktrace.ai_analyst_alert.summariser,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL,
+    darktrace.system_status_alert.alert_name,
+    data_stream.dataset == "extrahop.detection" AND extrahop.detection.type IS NOT NULL,
+    extrahop.detection.type,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.action IS NOT NULL,
+    forgerock.action,
+    data_stream.dataset IN ("forgerock.idm_access", "forgerock.idm_authentication", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync") AND forgerock.eventName IS NOT NULL,
+    forgerock.eventName,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "event" AND fortinet.firewall.action IS NOT NULL,
+    fortinet.firewall.action,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.change IS NOT NULL,
+    gitlab.audit.change,
+    data_stream.dataset == "gitlab.audit",
+    gitlab.audit.meta.caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.root_caller_id IS NOT NULL,
+    gitlab.application.meta.root_caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.caller_id IS NOT NULL,
+    gitlab.application.meta.caller_id,
+    data_stream.dataset == "gitlab.auth",
+    gitlab.auth.env,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL,
+    gitlab.api.route,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg IS NOT NULL,
+    gitlab.pages.msg,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.type IS NOT NULL,
+    greenhouse.audit.event.type,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.action.type IS NOT NULL,
+    m365_defender.event.action.type,
+    data_stream.dataset == "openai.images" AND openai.images.source IS NOT NULL,
+    openai.images.source,
+    data_stream.dataset == "openai.completions",
+    "completions",
+    data_stream.dataset == "openai.embeddings",
+    "embeddings",
+    data_stream.dataset == "openai.moderations",
+    "moderations",
+    data_stream.dataset == "openai.images",
+    "images",
+    data_stream.dataset == "openai.audio_transcriptions",
+    "audio_transcriptions",
+    data_stream.dataset == "openai.audio_speeches",
+    "audio_speeches",
+    data_stream.dataset == "openai.vector_stores",
+    "vector_stores",
+    data_stream.dataset == "openai.code_interpreter_sessions",
+    "code_interpreter_sessions",
+    data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.attack.type IS NOT NULL,
+    prisma_cloud.incident_audit.data.attack.type,
+    data_stream.dataset == "servicenow.event" AND TO_BOOLEAN(servicenow.event.applied.value) == true,
+    "cmdb-baseline-applied",
+    data_stream.dataset == "servicenow.event" AND servicenow.event.table_name IS NOT NULL,
+    servicenow.event.table_name,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL,
+    rule.description,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL,
+    rule.name,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.type IS NOT NULL,
+    dns.type,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "http" AND http.request.method IS NOT NULL,
+    http.request.method,
+    data_stream.dataset == "sysdig.event" AND event.provider == "syscall" AND sysdig.event.content.fields.evt.type IS NOT NULL,
+    sysdig.event.content.fields.evt.type,
+    data_stream.dataset == "sysdig.event" AND event.provider == "aws_cloudtrail" AND sysdig.event.content.fields.aws.event_name IS NOT NULL,
+    sysdig.event.content.fields.aws.event_name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND rule.name IS NOT NULL,
+    rule.name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall" AND process.name IS NOT NULL,
+    process.name,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.table IS NULL,
+    tanium.threat_response.event.name,
+    data_stream.dataset == "zscaler_zia.dns" AND zscaler_zia.dns.request.action IS NOT NULL,
+    TO_LOWER(zscaler_zia.dns.request.action),
+    data_stream.dataset == "zscaler_zia.tunnel" AND zscaler_zia.tunnel.action.type IS NOT NULL,
+    TO_LOWER(REPLACE(zscaler_zia.tunnel.action.type, " ", "-")),
+    null
+  )
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL,
+    entity.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL,
+    aws.bedrock_agentcore.gateway.target,
+    data_stream.dataset == "aws_securityhub.finding"
+      AND resource.type != "AWS::EC2::Instance"
+      AND resource.type != "AWS::Lambda::Function"
+      AND resource.type != "AWS::IAM::User",
+    resource.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs",
+    azure.ai_foundry.properties.backend_response_body.id,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.entity_id IS NOT NULL,
+    checkpoint_email.event.entity_id,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("rogue-ssid-detected", "ssid-spoofing-detected") AND destination.mac IS NOT NULL,
+    destination.mac,
+    data_stream.dataset == "cisco_meraki.events" AND observer.serial_number IS NOT NULL,
+    observer.serial_number,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL,
+    email.message_id,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL,
+    cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL,
+    dns.question.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent",
+    cyera.event.datastore.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent",
+    cyera.event.policy.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent",
+    cyera.event.issue.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent",
+    cyera.event.issue.uid,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.name IS NOT NULL,
+    darktrace.system_status_alert.name,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config") AND forgerock.objectId IS NOT NULL AND NOT STARTS_WITH(forgerock.objectId, "managed/"),
+    forgerock.objectId,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND http.request.Path IS NOT NULL,
+    http.request.Path,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.request_id IS NOT NULL,
+    gcp.vertexai.prompt_response_logs.request_id,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project",
+    TO_STRING(gitlab.audit.target_id),
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_id IS NOT NULL AND greenhouse.audit.event.target_type != "User",
+    greenhouse.audit.event.target_id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data",
+    event.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config",
+    event.id,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation",
+    jamf_pro.events.event.object_id,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPolicyFinished",
+    jamf_pro.events.event.policy_id,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"),
+    jamf_pro.events.event.jssid,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "DeviceAddedToDEP",
+    jamf_pro.events.event.serial_number,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPatchPolicyCompleted",
+    jamf_pro.events.event.patch_policy_id,
+    data_stream.dataset IN ("m365_defender.event", "m365_defender.alert") AND file.hash.sha256 IS NOT NULL,
+    file.hash.sha256,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND microsoft_intune.audit.properties.target_object_ids IS NOT NULL,
+    MV_FIRST(microsoft_intune.audit.properties.target_object_ids),
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.connection_id IS NOT NULL,
+    ping_federate.audit.connection_id,
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL,
+    ping_one.audit.resources.id,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL,
+    container.id,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND event.id IS NOT NULL,
+    event.id,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file",
+    slack.audit.entity.id,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL,
+    snyk.audit_logs.project_id,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create",
+    snyk.audit_logs.content.targetId,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create",
+    snyk.audit_logs.content.serviceAccountPublicId,
+    data_stream.dataset == "snyk.issues",
+    snyk.issues.id,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.id IS NOT NULL,
+    rule.id,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.id IS NOT NULL,
+    container.id,
+    data_stream.dataset == "sysdig.event" AND orchestrator.resource.name IS NOT NULL,
+    orchestrator.resource.name,
+    data_stream.dataset == "sysdig.vulnerability",
+    resource.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail",
+    cloud.account.id,
+    data_stream.dataset == "tanium.action_history",
+    TO_STRING(tanium.action_history.action.id),
+    data_stream.dataset == "tanium.endpoint_config",
+    TO_STRING(tanium.endpoint_config.item.id),
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.eid IS NOT NULL,
+    tanium.threat_response.state.target.eid,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "sha256" AND threat.indicator.file.hash.sha256 IS NOT NULL,
+    threat.indicator.file.hash.sha256,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "md5" AND threat.indicator.file.hash.md5 IS NOT NULL,
+    threat.indicator.file.hash.md5,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("sha1", "filename|sha1") AND threat.indicator.file.hash.sha1 IS NOT NULL,
+    threat.indicator.file.hash.sha1,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.uuid IS NOT NULL,
+    misp.attribute.uuid,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.id IS NOT NULL,
+    wiz.defend.primary_resource.id,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.id IS NOT NULL,
+    wiz.issue.entity_snapshot.id,
+    data_stream.dataset == "wiz.vulnerability" AND resource.id IS NOT NULL,
+    resource.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL,
+    entity.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs",
+    azure.app_service.properties.cs_uri_stem,
+    data_stream.dataset == "checkpoint_email.event" AND email.subject IS NOT NULL,
+    email.subject,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error") AND url.domain IS NOT NULL,
+    url.domain,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("malicious-file-actioned", "issued-retrospective-malicious-disposition") AND file.name IS NOT NULL,
+    file.name,
+    data_stream.dataset == "cisco_meraki.events" AND observer.name IS NOT NULL,
+    observer.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("amp", "antivirus") AND file.name IS NOT NULL,
+    file.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.subject IS NOT NULL,
+    email.subject,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND url.path IS NOT NULL,
+    url.path,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "system",
+    cisco_secure_email_gateway.log.object,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL,
+    cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL,
+    dns.question.name,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL,
+    file.name,
+    event.dataset == "dns" AND dns.question.name IS NOT NULL,
+    dns.question.name,
+    event.dataset == "http" AND dest_host IS NOT NULL,
+    dest_host,
+    event.dataset == "intel" AND intel.seen.indicator IS NOT NULL,
+    intel.seen.indicator,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL,
+    rule.name,
+    event.dataset == "notice" AND notice.note IS NOT NULL,
+    notice.note,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent",
+    cyera.event.datastore.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent",
+    cyera.event.policy.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IN ("IssueStatusChangedToClosedEvent", "M365SensitivityLabelRemediationFinishedEvent"),
+    cyera.event.policy.name,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL,
+    darktrace.system_status_alert.alert_name,
+    data_stream.dataset == "fortinet_fortigate.log" AND url.domain IS NOT NULL,
+    url.domain,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL,
+    gcp.vertexai.prompt_response_logs.model,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project",
+    gitlab.audit.target_details,
+    data_stream.dataset == "gitlab.application" AND group.name IS NOT NULL,
+    group.name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.project_name IS NOT NULL,
+    gitlab.application.project_name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.project IS NOT NULL,
+    gitlab.application.meta.project,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL,
+    gitlab.api.route,
+    data_stream.dataset == "gitlab.auth",
+    url.path,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg == "access",
+    gitlab.pages.uri,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.meta.name IS NOT NULL,
+    TO_STRING(greenhouse.audit.event.meta.name),
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL AND greenhouse.audit.event.target_id IS NULL,
+    greenhouse.audit.event.target_type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data",
+    dns.question.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config",
+    infoblox_bloxone_ddi.dns_config.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation",
+    jamf_pro.events.event.object_name,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"),
+    jamf_pro.events.event.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("JSSStartup", "JSSShutdown"),
+    jamf_pro.events.event.jss_url,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL,
+    source.domain,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND destination.domain IS NOT NULL,
+    MV_FIRST(destination.domain),
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment" AND microsoft_intune.audit.properties.target_display_names IS NOT NULL,
+    MV_FIRST(microsoft_intune.audit.properties.target_display_names),
+    data_stream.dataset == "ping_federate.admin" AND ping_federate.admin.component IS NOT NULL,
+    ping_federate.admin.component,
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL,
+    ping_one.audit.resources.name,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt",
+    event.url,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-callout",
+    event.url,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-external-custom-callout" AND salesforce.apex.entity IS NOT NULL,
+    salesforce.apex.entity,
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution") AND salesforce.apex.class_name IS NOT NULL,
+    salesforce.apex.class_name,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger" AND salesforce.apex.trigger_name IS NOT NULL,
+    salesforce.apex.trigger_name,
+    data_stream.dataset == "salesforce.apex" AND salesforce.apex.entity_name IS NOT NULL,
+    salesforce.apex.entity_name,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file",
+    slack.audit.entity.name,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL,
+    rule.description,
+    data_stream.dataset == "snyk.issues",
+    snyk.issues.attributes.title,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.question.name IS NOT NULL,
+    dns.question.name,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL,
+    rule.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.name IS NOT NULL,
+    container.name,
+    data_stream.dataset == "sysdig.alerts" AND sysdig.content.fields.container.name IS NOT NULL,
+    sysdig.content.fields.container.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND orchestrator.resource.name IS NOT NULL,
+    orchestrator.resource.name,
+    data_stream.dataset == "sysdig.event" AND sysdig.event.content.fields.fd.name IS NOT NULL,
+    sysdig.event.content.fields.fd.name,
+    data_stream.dataset == "tanium.action_history",
+    tanium.action_history.action.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "regkey" AND threat.indicator.registry.key IS NOT NULL,
+    threat.indicator.registry.key,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.name IS NOT NULL,
+    wiz.defend.primary_resource.name,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.name IS NOT NULL,
+    wiz.issue.entity_snapshot.name,
+    data_stream.dataset == "wiz.vulnerability" AND resource.name IS NOT NULL,
+    resource.name,
+    data_stream.dataset == "zscaler_zia.audit",
+    rule.name,
+    data_stream.dataset == "zscaler_zia.dns",
+    dns.question.name,
+    data_stream.dataset == "zscaler_zia.endpoint_dlp" AND zscaler_zia.endpoint_dlp.item.destination_name IS NOT NULL,
+    zscaler_zia.endpoint_dlp.item.destination_name,
+    data_stream.dataset IN ("zscaler_zia.endpoint_dlp", "zscaler_zia.sandbox_report"),
+    file.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL,
+    entity.target.sub_type,
+    data_stream.dataset == "aws_securityhub.finding",
+    "cloud_resource",
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND destination.user.email IS NOT NULL,
+    "email_recipient",
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"),
+    "wifi_vap",
+    data_stream.dataset == "cisco_meraki.events",
+    "managed_device",
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration",
+    "configuration_object",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns",
+    "dns_name",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL,
+    "file",
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL,
+    "protected_web_app",
+    data_stream.dataset == "darktrace.system_status_alert",
+    "platform_module",
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL,
+    "foundation_model",
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL,
+    "foundation_model",
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type IS NOT NULL AND gitlab.audit.meta.caller_id != "SessionsController#create",
+    gitlab.audit.target_type,
+    data_stream.dataset == "gitlab.auth",
+    "git_endpoint",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Candidate",
+    "candidate",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Job",
+    "job",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "OrganizationEmail",
+    "organization_email",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data",
+    "dns-record",
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease",
+    "ip_lease",
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation",
+    jamf_pro.events.event.object_type_name,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"),
+    "ad-domain",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"),
+    "ip_lease",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed"),
+    "dns",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit",
+    "dhcp",
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy",
+    "intune-policy",
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment",
+    "entra-group",
+    data_stream.dataset == "openai.vector_stores",
+    "vector_store",
+    data_stream.dataset == "openai.code_interpreter_sessions",
+    "code_interpreter_session",
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL,
+    "foundation_model",
+    data_stream.dataset == "ping_federate.admin",
+    "configuration-component",
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL,
+    "container",
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL,
+    "connected_app",
+    data_stream.dataset == "salesforce.setupaudittrail",
+    salesforce.setup_audit_trail.section,
+    data_stream.dataset == "tanium.endpoint_config",
+    tanium.endpoint_config.item.data_category,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.type IS NOT NULL,
+    wiz.defend.primary_resource.type,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.native_type IS NOT NULL,
+    wiz.issue.entity_snapshot.native_type,
+    data_stream.dataset == "zscaler_zia.audit",
+    rule.category,
+    data_stream.dataset == "zscaler_zia.dns",
+    "dns_name",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL,
+    entity.target.type,
+    data_stream.dataset == "aws_securityhub.finding",
+    resource.type,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing"),
+    "user",
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly",
+    "service",
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "shadow_it",
+    "general",
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"),
+    "service",
+    data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL,
+    "host",
+    data_stream.dataset == "cisco_meraki.events",
+    "general",
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true,
+    "service",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id IN ("API", "APPFW"),
+    "service",
+    event.dataset == "dns",
+    "domain",
+    event.dataset == "http",
+    "url",
+    event.dataset == "intel",
+    "indicator",
+    event.dataset == "suricata_corelight",
+    "ids_rule",
+    event.dataset == "notice",
+    "notice",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL,
+    greenhouse.audit.event.target_type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data",
+    "general",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config",
+    "service",
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"),
+    "general",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"),
+    "host",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed", "dhcpv6-solicit"),
+    "service",
+    data_stream.dataset == "microsoft_intune.audit",
+    "general",
+    data_stream.dataset == "ping_federate.admin",
+    "general",
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL,
+    "user",
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL,
+    "general",
+    data_stream.dataset == "ping_federate.audit",
+    "service",
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt",
+    "service",
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Manage Users",
+    "user",
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Connected Apps",
+    "connected_app",
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-callout", "apex-external-custom-callout"),
+    "URL",
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger",
+    "apex_artifact",
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution"),
+    "apex_artifact",
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND (container.id IS NOT NULL OR container.name IS NOT NULL),
+    "container",
+    data_stream.dataset == "sysdig.cspm",
+    sysdig.cspm.control.resource_kind,
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "containerImage",
+    "container-image",
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "host",
+    "host",
+    data_stream.dataset == "tanium.action_history",
+    "tanium-action",
+    data_stream.dataset == "tanium.endpoint_config",
+    tanium.endpoint_config.item.domain,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst|port", "domain|ip", "hostname", "domain"),
+    "host",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst"),
+    "user",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri"),
+    "service",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("md5", "sha256", "sha1", "filename|sha256", "filename|sha1", "regkey"),
+    "general",
+    data_stream.dataset == "zscaler_zia.audit",
+    "general",
+    data_stream.dataset == "zscaler_zia.web",
+    "service",
+    data_stream.dataset == "zscaler_zia.dns",
+    "general",
+    data_stream.dataset == "zscaler_zia.endpoint_dlp",
+    "general",
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL,
+    host.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance",
+    host.id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"),
+    azure.resource.id,
+    event.dataset == "conn" AND capture_source == "vpcflow" AND resp_inst.id IS NOT NULL,
+    resp_inst.id,
+    data_stream.dataset == "jamf_pro.events" AND host.id IS NOT NULL,
+    host.id,
+    data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.udid IS NOT NULL,
+    jamf_pro.events.event.udid,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge",
+    jamf_pro.events.event.target_device.udid,
+    data_stream.dataset == "m365_defender.event" AND event.action IN ("samr-query", "dns-query") AND m365_defender.event.additional_fields.DestinationComputerObjectGuid IS NOT NULL,
+    m365_defender.event.additional_fields.DestinationComputerObjectGuid,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL,
+    host.id,
+    data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.id IS NOT NULL,
+    host.id,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.id IS NOT NULL,
+    host.id,
+    data_stream.dataset == "wiz.vulnerability" AND device.id IS NOT NULL,
+    device.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type IN ("POD", "VIRTUAL_MACHINE") AND resource.id IS NOT NULL,
+    resource.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL,
+    host.target.name,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance",
+    host.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL,
+    destination.address,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs",
+    azure.resource.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceIPSecAuditLogs",
+    azure.app_service.properties.cs_host,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs",
+    azure.app_service.properties.cs_host,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "idps" AND cisco.umbrella.message IS NOT NULL,
+    cisco.umbrella.message,
+    event.dataset == "files" AND files.rx_hosts IS NOT NULL,
+    files.rx_hosts,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.address IS NOT NULL,
+    destination.address,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.domain IS NOT NULL,
+    destination.domain,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL,
+    host.hostname,
+    data_stream.dataset == "jamf_pro.events" AND host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.device_name IS NOT NULL,
+    jamf_pro.events.event.device_name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge",
+    jamf_pro.events.event.target_device.device_name,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL,
+    m365_defender.event.destination.device_name,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed") AND source.address IS NOT NULL,
+    source.address,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.name IS NOT NULL,
+    MV_FIRST(container.name),
+    data_stream.dataset == "prisma_cloud.incident_audit" AND host.hostname IS NOT NULL,
+    host.hostname,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset == "suricata.eve" AND destination.domain IS NOT NULL,
+    destination.domain,
+    data_stream.dataset IN ("sysdig.event", "sysdig.vulnerability") AND host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.hostname IS NOT NULL,
+    tanium.threat_response.state.target.hostname,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.state.target.hostname IS NULL,
+    host.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("domain", "hostname", "domain|ip") AND threat.indicator.url.domain IS NOT NULL,
+    threat.indicator.url.domain,
+    data_stream.dataset == "wiz.vulnerability" AND host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "POD" AND resource.name IS NOT NULL,
+    resource.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "VIRTUAL_MACHINE" AND host.name IS NOT NULL,
+    host.name,
+    data_stream.dataset == "zscaler_zia.web" AND url.domain IS NOT NULL,
+    url.domain,
+    null
+  ),
+  host.target.port = CASE(
+    host.target.port IS NOT NULL,
+    host.target.port,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "ip-dst|port" AND threat.indicator.port IS NOT NULL,
+    threat.indicator.port,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL,
+    service.target.id,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL,
+    gen_ai.request.model.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.resource_arn IS NOT NULL,
+    aws.bedrock_agentcore.resource_arn,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.resource_arn IS NOT NULL,
+    aws.bedrock_agentcore.memory.resource_arn,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::Lambda::Function",
+    resource.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit",
+    azure.resource.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse",
+    azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs",
+    azure.ai_foundry.properties.backend_request_body.model,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit",
+    azure.resource.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse",
+    azure.open_ai.properties.model_deployment_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs",
+    azure.open_ai.properties.backend_request_body.model,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND http.request.id IS NOT NULL,
+    http.request.id,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL,
+    gcp.vertexai.audit.resource_name,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.full_request.model IS NOT NULL,
+    gcp.vertexai.prompt_response_logs.full_request.model,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL,
+    openai.base.model,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.id IS NOT NULL,
+    client.user.id,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger",
+    salesforce.apex.trigger_id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail" AND cloud.account.id IS NOT NULL,
+    cloud.account.id,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL,
+    service.target.name,
+    data_stream.dataset == "aws_bedrock.invocation" AND cloud.service.name IS NOT NULL,
+    cloud.service.name,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND service.name IS NOT NULL,
+    service.name,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND service.name IS NOT NULL,
+    service.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "GetCallerIdentity" AND rpc.service IS NOT NULL,
+    rpc.service,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IN ("PutObject", "GetObject") AND rpc.service IS NOT NULL,
+    rpc.service,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL,
+    aws.vpc.flow.destination.service,
+    data_stream.dataset == "aws.vpcflow.otel" AND network.protocol.name IS NOT NULL,
+    network.protocol.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit",
+    azure.resource.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse",
+    azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs",
+    azure.ai_foundry.properties.backend_request_body.model,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"),
+    azure.resource.provider,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit",
+    azure.resource.name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse",
+    azure.open_ai.properties.model_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs",
+    azure.open_ai.properties.backend_response_body.model,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly" AND checkpoint_email.event.saas IS NOT NULL,
+    checkpoint_email.event.saas,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-8021x-auth" AND `cisco_meraki.8021x_eap_success.vap` IS NOT NULL,
+    `cisco_meraki.8021x_eap_success.vap`,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-wpa-authentication" AND cisco_meraki.wpa_auth.vap IS NOT NULL,
+    cisco_meraki.wpa_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "splash-authentication" AND cisco_meraki.splash_auth.vap IS NOT NULL,
+    cisco_meraki.splash_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error", "ids-signature-matched") AND network.protocol IS NOT NULL,
+    network.protocol,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("dhcp-offer", "dhcp-no-offer") AND server.mac IS NOT NULL,
+    server.mac,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"),
+    "Cisco Secure Email Gateway",
+    data_stream.dataset == "cisco_umbrella.log" AND network.application IS NOT NULL,
+    network.application,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL,
+    CONCAT(url.domain, url.path),
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "API",
+    "Citrix ADC management API",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "APPFW" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false),
+    "Citrix NetScaler APPFW",
+    event.dataset IN ("conn", "notice", "tls", "rdp") AND network.protocol IS NOT NULL,
+    network.protocol,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent",
+    cloud.service.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser == "AdminConnSummary",
+    "SSH",
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL,
+    service.name,
+    data_stream.dataset == "forgerock.idm_authentication",
+    "Identity Management",
+    data_stream.dataset == "fortinet_fortigate.log" AND event.action == "login",
+    observer.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND network.application IS NOT NULL,
+    network.application,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.subtype == "vpn" AND fortinet.firewall.vpntunnel IS NOT NULL,
+    fortinet.firewall.vpntunnel,
+    data_stream.dataset == "gcp_vertexai.auditlogs",
+    "Vertex AI",
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND cloud.service.name IS NOT NULL,
+    cloud.service.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.meta.caller_id == "SessionsController#create",
+    "GitLab",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config",
+    infoblox_bloxone_ddi.dns_config.name,
+    data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL,
+    application.name,
+    data_stream.dataset == "m365_defender.alert" AND m365_defender.alert.service_source IS NOT NULL,
+    m365_defender.alert.service_source,
+    data_stream.dataset == "m365_defender.incident" AND m365_defender.incident.alert.service_source IS NOT NULL,
+    m365_defender.incident.alert.service_source,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcp-dns-update",
+    "DNS dynamic update service",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit",
+    "Microsoft DHCP service",
+    data_stream.dataset == "microsoft_intune.audit",
+    "Microsoft Intune",
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL,
+    openai.base.model,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches", "openai.vector_stores", "openai.code_interpreter_sessions"),
+    "OpenAI API",
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL,
+    url.full,
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NULL AND ping_federate.audit.connection_id IS NULL,
+    "PingFederate",
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.name IS NOT NULL,
+    client.user.name,
+    data_stream.dataset == "prisma_cloud.audit" AND event.action == "login",
+    "Prisma Cloud CSPM console",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login",
+    "Qualys VMDR",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request" AND message IS NOT NULL,
+    message,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL,
+    salesforce.login.application,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt",
+    "Salesforce",
+    data_stream.dataset == "salesforce.logout" AND event.action == "logout",
+    "Salesforce",
+    data_stream.dataset == "slack.audit" AND event.action == "user_login",
+    "Slack",
+    data_stream.dataset == "snort.log" AND network.protocol IS NOT NULL AND network.protocol != "unknown",
+    network.protocol,
+    data_stream.dataset == "suricata.eve" AND network.protocol IS NOT NULL,
+    network.protocol,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND event.provider == "aws_cloudtrail",
+    event.provider,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri") AND threat.indicator.url.domain IS NOT NULL,
+    threat.indicator.url.domain,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND threat.feed.name IS NOT NULL,
+    threat.feed.name,
+    data_stream.dataset == "wiz.audit" AND event.action IN ("user-login", "login"),
+    "Wiz",
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND cloud.service.name IS NOT NULL,
+    cloud.service.name,
+    data_stream.dataset == "zscaler_zia.audit" AND event.action IN ("sign_out", "activate"),
+    "ZIA Admin Portal",
+    data_stream.dataset == "zscaler_zia.web",
+    zscaler_zia.web.app.name,
+    data_stream.dataset == "zscaler_zia.alerts",
+    zscaler_zia.alerts.log_feed_name,
+    data_stream.dataset IN ("zscaler_zia.dns", "zscaler_zia.firewall") AND network.application IS NOT NULL,
+    network.application,
+    null
+  ),
+  service.target.type = CASE(
+    service.target.type IS NOT NULL,
+    service.target.type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.type IS NOT NULL,
+    gen_ai.request.model.type,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed",
+    "pingone_application",
+    null
+  ),
+  user.target.domain = CASE(
+    user.target.domain IS NOT NULL,
+    user.target.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.domain IS NOT NULL,
+    destination.user.domain,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL,
+    user.domain,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL,
+    user.target.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.email IS NOT NULL,
+    destination.user.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL,
+    email.to.address,
+    data_stream.dataset == "fortinet_fortigate.log" AND email.to.address IS NOT NULL,
+    email.to.address,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge",
+    jamf_pro.events.event.target_user.email,
+    data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL,
+    email.to.address,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL,
+    user.email,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login",
+    slack.audit.entity.email,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.user.invite",
+    snyk.audit_logs.content.email,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst") AND threat.indicator.email.address IS NOT NULL,
+    threat.indicator.email.address,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL,
+    user.target.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL,
+    aws.request.parameters.userName,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::IAM::User",
+    user.id,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.sourceObjectId IS NOT NULL,
+    forgerock.sourceObjectId,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"),
+    forgerock.objectId,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.targetObjectId IS NOT NULL,
+    forgerock.targetObjectId,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create",
+    TO_STRING(gitlab.audit.target_id),
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "User",
+    greenhouse.audit.event.target_id,
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL,
+    ping_federate.audit.local_user_id,
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL,
+    ping_one.audit.resources.id,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login",
+    slack.audit.entity.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.id IS NOT NULL,
+    user.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL,
+    user.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL,
+    aws.request.parameters.userName,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.name IS NOT NULL,
+    destination.user.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "traffic" AND destination.user.name IS NOT NULL,
+    destination.user.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create",
+    gitlab.audit.target_details,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge",
+    jamf_pro.events.event.target_user.username,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL,
+    m365_defender.event.query.target,
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL,
+    ping_one.audit.resources.name,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL,
+    user.name,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login",
+    slack.audit.entity.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.name IS NOT NULL,
+    user.name,
+    null
+  )
+| EVAL
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL,
+    entity.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:sts:*:assumed-role/*",
+    "assumed_role",
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:iam:*:user/*",
+    "iam_user",
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs",
+    "agentcore_gateway",
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL,
+    "Snyk platform worker",
+    data_stream.dataset == "snyk.issues",
+    "Snyk scanner",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL,
+    entity.target.sub_type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL,
+    "tool_target",
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs",
+    "runtime_endpoint",
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.memory_strategy IS NOT NULL,
+    aws.bedrock_agentcore.memory.memory_strategy,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"),
+    "web_app",
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs",
+    "url_path",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"),
+    null,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL,
+    "email_message",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND file.name IS NOT NULL,
+    "file",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND url.path IS NOT NULL,
+    "web_resource",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent",
+    "cloud_datastore",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent",
+    "policy",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent",
+    "issue",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent",
+    "m365_remediation",
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"),
+    "managed_object",
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file",
+    "file",
+    data_stream.dataset == "snyk.issues",
+    snyk.issues.attributes.type,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL,
+    "project",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create",
+    "target",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create",
+    "service_account",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL,
+    entity.target.type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL,
+    "general",
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"),
+    "service",
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL,
+    "service",
+    data_stream.dataset == "aws.vpcflow.otel",
+    "host",
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"),
+    "host",
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs",
+    "general",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"),
+    "service",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL,
+    "user",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND file.name IS NOT NULL,
+    "general",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND url.path IS NOT NULL,
+    "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent",
+    "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent",
+    "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent",
+    "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent",
+    "general",
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL,
+    "service",
+    data_stream.dataset == "forgerock.idm_authentication",
+    "service",
+    data_stream.dataset == "forgerock.idm_sync",
+    "user",
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"),
+    "user",
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config"),
+    "general",
+    data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL,
+    "service",
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL,
+    "user",
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL,
+    "host",
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL,
+    "host",
+    data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL,
+    "user",
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed",
+    "service",
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created"),
+    "user",
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application."),
+    "general",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login",
+    "service",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request",
+    "service",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.provider == "host_attribute",
+    "host",
+    data_stream.dataset == "qualys_vmdr.asset_host_detection",
+    "host",
+    data_stream.dataset == "slack.audit" AND event.action == "user_login",
+    "service",
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login",
+    "user",
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file",
+    "general",
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL,
+    entity.type,
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"),
+    "user",
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs",
+    "service",
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND user.id IS NULL AND client.ip IS NOT NULL,
+    "host",
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access", "forgerock.am_authentication", "forgerock.idm_authentication", "forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync"),
+    "user",
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL,
+    "service",
+    data_stream.dataset == "snyk.issues",
+    "service",
+    null
+  ),
+  service.target.sub_type = CASE(
+    service.target.sub_type IS NOT NULL,
+    service.target.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL,
+    "foundation_model",
+    null
+  )
diff --git a/dev/domain/esql-evaluations/entityanalytics_ad.ts b/dev/domain/esql-evaluations/entityanalytics_ad.ts
new file mode 100644
index 00000000000..5cd8f829c88
--- /dev/null
+++ b/dev/domain/esql-evaluations/entityanalytics_ad.ts
@@ -0,0 +1,7 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const entityanalytics_adEvaluations = {
+  integration: "entityanalytics_ad",
+  evaluations: [
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/entityanalytics_okta.ts b/dev/domain/esql-evaluations/entityanalytics_okta.ts
new file mode 100644
index 00000000000..187feeaff31
--- /dev/null
+++ b/dev/domain/esql-evaluations/entityanalytics_okta.ts
@@ -0,0 +1,7 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const entityanalytics_oktaEvaluations = {
+  integration: "entityanalytics_okta",
+  evaluations: [
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/extrahop.ts b/dev/domain/esql-evaluations/extrahop.ts
new file mode 100644
index 00000000000..5732623b006
--- /dev/null
+++ b/dev/domain/esql-evaluations/extrahop.ts
@@ -0,0 +1,28 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const extrahopEvaluations = {
+  integration: "extrahop",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "extrahop.detection" AND extrahop.detection.type IS NOT NULL, extrahop.detection.type,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/forgerock.ts b/dev/domain/esql-evaluations/forgerock.ts
new file mode 100644
index 00000000000..29d7a8b07f7
--- /dev/null
+++ b/dev/domain/esql-evaluations/forgerock.ts
@@ -0,0 +1,96 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const forgerockEvaluations = {
+  integration: "forgerock",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND user.id IS NULL AND client.ip IS NOT NULL, "host",
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access", "forgerock.am_authentication", "forgerock.idm_authentication", "forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync"), "user",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL, "service",
+    data_stream.dataset == "forgerock.idm_authentication", "service",
+    data_stream.dataset == "forgerock.idm_sync", "user",
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"), "user",
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config"), "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"), "managed_object",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset IN ("forgerock.am_authentication", "forgerock.idm_authentication"), MV_FIRST(forgerock.principal),
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND client.ip IS NOT NULL, client.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.action IS NOT NULL, forgerock.action,
+    data_stream.dataset IN ("forgerock.idm_access", "forgerock.idm_authentication", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync") AND forgerock.eventName IS NOT NULL, forgerock.eventName,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL, service.name,
+    data_stream.dataset == "forgerock.idm_authentication", "Identity Management",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.sourceObjectId IS NOT NULL, forgerock.sourceObjectId,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"), forgerock.objectId,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.targetObjectId IS NOT NULL, forgerock.targetObjectId,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config") AND forgerock.objectId IS NOT NULL AND NOT STARTS_WITH(forgerock.objectId, "managed/"), forgerock.objectId,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND http.request.Path IS NOT NULL, http.request.Path,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/fortinet_fortigate.ts b/dev/domain/esql-evaluations/fortinet_fortigate.ts
new file mode 100644
index 00000000000..c16d2913264
--- /dev/null
+++ b/dev/domain/esql-evaluations/fortinet_fortigate.ts
@@ -0,0 +1,84 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const fortinet_fortigateEvaluations = {
+  integration: "fortinet_fortigate",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND source.user.name IS NOT NULL, source.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "fortinet_fortigate.log" AND source.ip IS NOT NULL, source.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "event" AND fortinet.firewall.action IS NOT NULL, fortinet.firewall.action,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND event.action == "login", observer.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND network.application IS NOT NULL, network.application,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.subtype == "vpn" AND fortinet.firewall.vpntunnel IS NOT NULL, fortinet.firewall.vpntunnel,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.address IS NOT NULL, destination.address,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.domain IS NOT NULL, destination.domain,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "traffic" AND destination.user.name IS NOT NULL, destination.user.name,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "fortinet_fortigate.log" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND url.domain IS NOT NULL, url.domain,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/gcp_vertexai.ts b/dev/domain/esql-evaluations/gcp_vertexai.ts
new file mode 100644
index 00000000000..7cb20ede9aa
--- /dev/null
+++ b/dev/domain/esql-evaluations/gcp_vertexai.ts
@@ -0,0 +1,79 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const gcp_vertexaiEvaluations = {
+  integration: "gcp_vertexai",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL, client.user.email,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL, client.user.email,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND source.ip IS NOT NULL, source.ip,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "gcp_vertexai.auditlogs", "Vertex AI",
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL, gcp.vertexai.audit.resource_name,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.full_request.model IS NOT NULL, gcp.vertexai.prompt_response_logs.full_request.model,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL, gcp.vertexai.prompt_response_logs.model,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.request_id IS NOT NULL, gcp.vertexai.prompt_response_logs.request_id,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL, "foundation_model",
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL, "foundation_model",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/generate.py b/dev/domain/esql-evaluations/generate.py
new file mode 100644
index 00000000000..785e72f7660
--- /dev/null
+++ b/dev/domain/esql-evaluations/generate.py
@@ -0,0 +1,355 @@
+#!/usr/bin/env python3
+"""Generate copy-paste TS evaluation snippets + one merged enrichment query."""
+
+from __future__ import annotations
+
+import json
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+
+ROOT = Path(__file__).resolve().parent
+P1 = ROOT.parent / "p1"
+
+SECTION_HEADINGS: dict[str, str] = {
+    "Detection flags (mandatory — run first)": "detection_flags",
+    "Optional classification helpers (when needed)": "optional_classification",
+    "Combined ES|QL — actor fields": "actor",
+    "Combined ES|QL — event action": "event_action",
+    "Combined ES|QL — target fields": "target",
+}
+
+SKIP_HEADINGS_PREFIX = (
+    "Full pipeline fragment",
+    "Streams excluded",
+    "Gaps and limitations",
+    "Dataset inventory",
+    "Field mapping plan",
+)
+
+ENRICHMENT_PHASES = ("actor", "event_action", "target", "optional_classification")
+SKIP_COLUMNS_SNAPSHOT = frozenset({"host.ip", "host.target.ip"})
+PRESERVE_RE = re.compile(r"^\S+\s+IS NOT NULL$")
+
+
+def export_name(integration: str) -> str:
+    return f"{integration}Evaluations"
+
+
+def extract_esql_section(md: str) -> str | None:
+    start = md.find("## ES|QL Entity Extraction")
+    if start == -1:
+        return None
+    rest = md[start + 1 :]
+    m = re.search(r"\n## [^#]", rest)
+    end = start + 1 + m.start() if m else len(md)
+    return md[start:end]
+
+
+def extract_evaluations(section: str) -> list[dict[str, str]]:
+    snippets: list[dict[str, str]] = []
+    seen_ids: dict[str, int] = {}
+
+    parts = re.split(r"^### (.+)$", section, flags=re.MULTILINE)
+    i = 1
+    while i < len(parts):
+        heading = parts[i].strip()
+        body = parts[i + 1] if i + 1 < len(parts) else ""
+        i += 2
+
+        if any(heading.startswith(p) for p in SKIP_HEADINGS_PREFIX):
+            continue
+
+        base_id = SECTION_HEADINGS.get(heading)
+        if base_id is None:
+            continue
+
+        for block in re.findall(r"```esql\n(.*?)```", body, re.DOTALL):
+            block = block.strip()
+            if block.startswith("FROM ") or not block.startswith("| EVAL"):
+                continue
+
+            count = seen_ids.get(base_id, 0)
+            seen_ids[base_id] = count + 1
+            sid = base_id if count == 0 else f"{base_id}_{count + 1}"
+            snippets.append({"id": sid, "section": heading, "esql": block})
+
+    return snippets
+
+
+def split_top_level(input: str) -> list[str]:
+    parts: list[str] = []
+    depth = 0
+    in_string: str | None = None
+    start = 0
+
+    for i, c in enumerate(input):
+        if in_string:
+            if c == "\\":
+                continue
+            if c == in_string:
+                in_string = None
+            continue
+        if c in ('"', "'"):
+            in_string = c
+            continue
+        if c == "(":
+            depth += 1
+        elif c == ")":
+            depth -= 1
+        elif c == "," and depth == 0:
+            parts.append(input[start:i].strip())
+            start = i + 1
+
+    tail = input[start:].strip()
+    if tail:
+        parts.append(tail)
+    return parts
+
+
+def find_matching_paren(input: str, open_idx: int) -> int:
+    depth = 0
+    in_string: str | None = None
+    for i in range(open_idx, len(input)):
+        c = input[i]
+        if in_string:
+            if c == "\\":
+                continue
+            if c == in_string:
+                in_string = None
+            continue
+        if c in ('"', "'"):
+            in_string = c
+            continue
+        if c == "(":
+            depth += 1
+        elif c == ")":
+            depth -= 1
+            if depth == 0:
+                return i
+    raise ValueError(f"Unbalanced parens: {input[open_idx:open_idx + 40]!r}")
+
+
+@dataclass
+class CaseBranch:
+    condition: str
+    value: str
+
+
+@dataclass
+class ParsedAssignment:
+    column: str
+    has_preserve: bool
+    branches: list[CaseBranch] = field(default_factory=list)
+    default_value: str = "null"
+
+
+def split_eval_assignments(eval_body: str) -> list[tuple[str, str]]:
+    body = re.sub(r"^\|\s*EVAL\s*\n?", "", eval_body).strip()
+    assignments: list[tuple[str, str]] = []
+    cursor = 0
+
+    while cursor < len(body):
+        while cursor < len(body) and body[cursor] in ", \t\n\r":
+            cursor += 1
+        if cursor >= len(body):
+            break
+
+        marker = body.find(" = CASE(", cursor)
+        if marker == -1:
+            break
+
+        column = body[cursor:marker].strip()
+        open_paren = marker + len(" = CASE(") - 1
+        close_paren = find_matching_paren(body, open_paren)
+        case_expr = body[marker + len(" = ") : close_paren + 1].strip()
+        assignments.append((column, case_expr))
+        cursor = close_paren + 1
+
+    return assignments
+
+
+def parse_case_expression(column: str, case_expr: str) -> ParsedAssignment:
+    if not (case_expr.startswith("CASE(") and case_expr.endswith(")")):
+        raise ValueError(f"Expected CASE(...) for {column}")
+
+    args = split_top_level(case_expr[5:-1])
+    index = 0
+    has_preserve = False
+
+    if len(args) >= 2 and PRESERVE_RE.match(args[0]) and args[1].strip() == column:
+        has_preserve = True
+        index = 2
+
+    tail = args[index:]
+    default_value = "null"
+    branch_args = tail
+    if len(tail) % 2 == 1:
+        default_value = tail[-1].strip()
+        branch_args = tail[:-1]
+
+    branches = [
+        CaseBranch(branch_args[i].strip(), branch_args[i + 1].strip())
+        for i in range(0, len(branch_args), 2)
+    ]
+    return ParsedAssignment(column, has_preserve, branches, default_value)
+
+
+def parse_eval_snippet(esql: str) -> list[ParsedAssignment]:
+    return [parse_case_expression(col, expr) for col, expr in split_eval_assignments(esql)]
+
+
+def merge_assignments(left: ParsedAssignment, right: ParsedAssignment) -> ParsedAssignment:
+    seen: set[str] = set()
+    branches: list[CaseBranch] = []
+    for branch in left.branches + right.branches:
+        key = f"{branch.condition}\0{branch.value}"
+        if key in seen:
+            continue
+        seen.add(key)
+        branches.append(branch)
+    return ParsedAssignment(
+        left.column,
+        left.has_preserve or right.has_preserve,
+        branches,
+        left.default_value or right.default_value,
+    )
+
+
+def format_case(assignment: ParsedAssignment) -> str:
+    parts: list[str] = []
+    if assignment.has_preserve:
+        parts.extend([f"{assignment.column} IS NOT NULL", assignment.column])
+    for branch in assignment.branches:
+        parts.extend([branch.condition, branch.value])
+    parts.append(assignment.default_value)
+
+    lines = [f"    {part}{',' if idx < len(parts) - 1 else ''}" for idx, part in enumerate(parts)]
+    return f"  {assignment.column} = CASE(\n" + "\n".join(lines) + "\n  )"
+
+
+def build_merged_query(all_snippets: list[list[dict[str, str]]]) -> str:
+    lines: list[str] = []
+
+    for phase in ENRICHMENT_PHASES:
+        by_column: dict[str, ParsedAssignment] = {}
+
+        for snippets in all_snippets:
+            for snip in snippets:
+                if snip["id"] != phase:
+                    continue
+                for assignment in parse_eval_snippet(snip["esql"]):
+                    existing = by_column.get(assignment.column)
+                    by_column[assignment.column] = (
+                        merge_assignments(existing, assignment)
+                        if existing
+                        else assignment
+                    )
+
+        if not by_column:
+            continue
+
+        body = ",\n".join(
+            format_case(a)
+            for col, a in sorted(by_column.items())
+            if col not in SKIP_COLUMNS_SNAPSHOT
+        )
+        if not body:
+            continue
+        lines.append(f"| EVAL\n{body}")
+
+    return "\n".join(lines) + "\n"
+
+
+def emit_integration_ts(integration: str, snippets: list[dict[str, str]]) -> str:
+    name = export_name(integration)
+    lines = [
+        'import type { IntegrationEvaluations } from "./types";',
+        "",
+        f"export const {name} = {{",
+        f'  integration: "{integration}",',
+        "  evaluations: [",
+    ]
+    for snip in snippets:
+        lines.append("    {")
+        lines.append(f"      id: {json.dumps(snip['id'])},")
+        lines.append(f"      section: {json.dumps(snip['section'])},")
+        esql_body = snip["esql"].replace("`", "\\`").replace("${", "\\${")
+        lines.append(f"      esql: `{esql_body}`,")
+        lines.append("    },")
+    lines.append("  ],")
+    lines.append("} as const satisfies IntegrationEvaluations;")
+    lines.append("")
+    return "\n".join(lines)
+
+
+def write_registry(integrations: list[str]) -> None:
+    lines = ['import type { IntegrationEvaluations } from "./types";', ""]
+    for integration in integrations:
+        lines.append(f'import {{ {export_name(integration)} }} from "./{integration}";')
+    lines.append("")
+    lines.append("/** All integration evaluation snippets keyed by package code. */")
+    lines.append("export const allIntegrationEvaluations = {")
+    for integration in integrations:
+        lines.append(f'  "{integration}": {export_name(integration)},')
+    lines.append("} as const satisfies Record<string, IntegrationEvaluations>;")
+    lines.append("")
+    (ROOT / "registry.ts").write_text("\n".join(lines))
+
+
+def emit_index(integrations: list[str]) -> str:
+    lines = [
+        'export type { EvaluationSnippet, IntegrationEvaluations } from "./types";',
+        'export { allIntegrationEvaluations } from "./registry";',
+        "export {",
+        "  buildEnrichmentQuery,",
+        "  listIntegrationsWithEvaluations,",
+        "  ENRICHMENT_PHASES,",
+        '} from "./buildEnrichmentQuery";',
+        'export type { BuildEnrichmentQueryOptions, EnrichmentPhase } from "./buildEnrichmentQuery";',
+        "",
+    ]
+    for integration in integrations:
+        lines.append(f'export {{ {export_name(integration)} }} from "./{integration}";')
+    lines.append("")
+    return "\n".join(lines)
+
+
+def emit_types() -> str:
+    return """/** One `| EVAL` step from Pass 4 domain documentation. */
+export interface EvaluationSnippet {
+  readonly id: string;
+  readonly section: string;
+  readonly esql: string;
+}
+
+export interface IntegrationEvaluations {
+  readonly integration: string;
+  readonly evaluations: readonly EvaluationSnippet[];
+}
+"""
+
+
+def main() -> None:
+    integrations: list[str] = []
+    all_snippets: list[list[dict[str, str]]] = []
+
+    for md in sorted(P1.glob("*.md")):
+        integration = md.stem
+        integrations.append(integration)
+        section = extract_esql_section(md.read_text())
+        snippets = extract_evaluations(section) if section else []
+        all_snippets.append(snippets)
+        (ROOT / f"{integration}.ts").write_text(emit_integration_ts(integration, snippets))
+
+    query = build_merged_query(all_snippets)
+    (ROOT / "enrichmentQuery.esql").write_text(query)
+    (ROOT / "types.ts").write_text(emit_types())
+    write_registry(integrations)
+    (ROOT / "index.ts").write_text(emit_index(integrations))
+
+    print(f"Wrote {len(integrations)} integration files + registry.ts + enrichmentQuery.esql (snapshot)")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/dev/domain/esql-evaluations/gitlab.ts b/dev/domain/esql-evaluations/gitlab.ts
new file mode 100644
index 00000000000..ca12583838e
--- /dev/null
+++ b/dev/domain/esql-evaluations/gitlab.ts
@@ -0,0 +1,90 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const gitlabEvaluations = {
+  integration: "gitlab",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("gitlab.api", "gitlab.auth", "gitlab.pages", "gitlab.production") AND source.ip IS NOT NULL, source.ip,
+    data_stream.dataset IN ("gitlab.audit", "gitlab.application", "gitlab.auth") AND client.ip IS NOT NULL, client.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.change IS NOT NULL, gitlab.audit.change,
+    data_stream.dataset == "gitlab.audit", gitlab.audit.meta.caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.root_caller_id IS NOT NULL, gitlab.application.meta.root_caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.caller_id IS NOT NULL, gitlab.application.meta.caller_id,
+    data_stream.dataset == "gitlab.auth", gitlab.auth.env,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL, gitlab.api.route,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg IS NOT NULL, gitlab.pages.msg,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.meta.caller_id == "SessionsController#create", "GitLab",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create", TO_STRING(gitlab.audit.target_id),
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create", gitlab.audit.target_details,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project", TO_STRING(gitlab.audit.target_id),
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project", gitlab.audit.target_details,
+    data_stream.dataset == "gitlab.application" AND group.name IS NOT NULL, group.name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.project_name IS NOT NULL, gitlab.application.project_name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.project IS NOT NULL, gitlab.application.meta.project,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL, gitlab.api.route,
+    data_stream.dataset == "gitlab.auth", url.path,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg == "access", gitlab.pages.uri,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type IS NOT NULL AND gitlab.audit.meta.caller_id != "SessionsController#create", gitlab.audit.target_type,
+    data_stream.dataset == "gitlab.auth", "git_endpoint",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/greenhouse.ts b/dev/domain/esql-evaluations/greenhouse.ts
new file mode 100644
index 00000000000..8e1a8f191d8
--- /dev/null
+++ b/dev/domain/esql-evaluations/greenhouse.ts
@@ -0,0 +1,77 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const greenhouseEvaluations = {
+  integration: "greenhouse",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.email IS NOT NULL OR user.full_name IS NOT NULL
+    OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL OR entity.target.type IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.performer.type == "user", user.full_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "greenhouse.audit" AND source.ip IS NOT NULL, source.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.type IS NOT NULL, greenhouse.audit.event.type,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "User", greenhouse.audit.event.target_id,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_id IS NOT NULL AND greenhouse.audit.event.target_type != "User", greenhouse.audit.event.target_id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL, greenhouse.audit.event.target_type,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.meta.name IS NOT NULL, TO_STRING(greenhouse.audit.event.meta.name),
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL AND greenhouse.audit.event.target_id IS NULL, greenhouse.audit.event.target_type,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Candidate", "candidate",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Job", "job",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "OrganizationEmail", "organization_email",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/index.ts b/dev/domain/esql-evaluations/index.ts
new file mode 100644
index 00000000000..70cd405b20d
--- /dev/null
+++ b/dev/domain/esql-evaluations/index.ts
@@ -0,0 +1,56 @@
+export type { EvaluationSnippet, IntegrationEvaluations } from "./types";
+export { allIntegrationEvaluations } from "./registry";
+export {
+  buildEnrichmentQuery,
+  listIntegrationsWithEvaluations,
+  ENRICHMENT_PHASES,
+} from "./buildEnrichmentQuery";
+export type { BuildEnrichmentQueryOptions, EnrichmentPhase } from "./buildEnrichmentQuery";
+
+export { aws_bedrockEvaluations } from "./aws_bedrock";
+export { aws_bedrock_agentcoreEvaluations } from "./aws_bedrock_agentcore";
+export { aws_cloudtrail_otelEvaluations } from "./aws_cloudtrail_otel";
+export { aws_securityhubEvaluations } from "./aws_securityhub";
+export { aws_vpcflow_otelEvaluations } from "./aws_vpcflow_otel";
+export { azure_ai_foundryEvaluations } from "./azure_ai_foundry";
+export { azure_app_serviceEvaluations } from "./azure_app_service";
+export { azure_openaiEvaluations } from "./azure_openai";
+export { checkpoint_emailEvaluations } from "./checkpoint_email";
+export { cisco_merakiEvaluations } from "./cisco_meraki";
+export { cisco_secure_email_gatewayEvaluations } from "./cisco_secure_email_gateway";
+export { cisco_umbrellaEvaluations } from "./cisco_umbrella";
+export { citrix_wafEvaluations } from "./citrix_waf";
+export { corelightEvaluations } from "./corelight";
+export { cyeraEvaluations } from "./cyera";
+export { darktraceEvaluations } from "./darktrace";
+export { entityanalytics_adEvaluations } from "./entityanalytics_ad";
+export { entityanalytics_oktaEvaluations } from "./entityanalytics_okta";
+export { extrahopEvaluations } from "./extrahop";
+export { forgerockEvaluations } from "./forgerock";
+export { fortinet_fortigateEvaluations } from "./fortinet_fortigate";
+export { gcp_vertexaiEvaluations } from "./gcp_vertexai";
+export { gitlabEvaluations } from "./gitlab";
+export { greenhouseEvaluations } from "./greenhouse";
+export { infoblox_bloxone_ddiEvaluations } from "./infoblox_bloxone_ddi";
+export { jamf_proEvaluations } from "./jamf_pro";
+export { linuxEvaluations } from "./linux";
+export { m365_defenderEvaluations } from "./m365_defender";
+export { microsoft_dhcpEvaluations } from "./microsoft_dhcp";
+export { microsoft_intuneEvaluations } from "./microsoft_intune";
+export { openaiEvaluations } from "./openai";
+export { osqueryEvaluations } from "./osquery";
+export { ping_federateEvaluations } from "./ping_federate";
+export { ping_oneEvaluations } from "./ping_one";
+export { prisma_cloudEvaluations } from "./prisma_cloud";
+export { qualys_vmdrEvaluations } from "./qualys_vmdr";
+export { salesforceEvaluations } from "./salesforce";
+export { servicenowEvaluations } from "./servicenow";
+export { slackEvaluations } from "./slack";
+export { snortEvaluations } from "./snort";
+export { snykEvaluations } from "./snyk";
+export { suricataEvaluations } from "./suricata";
+export { sysdigEvaluations } from "./sysdig";
+export { taniumEvaluations } from "./tanium";
+export { ti_mispEvaluations } from "./ti_misp";
+export { wizEvaluations } from "./wiz";
+export { zscaler_ziaEvaluations } from "./zscaler_zia";
diff --git a/dev/domain/esql-evaluations/infoblox_bloxone_ddi.ts b/dev/domain/esql-evaluations/infoblox_bloxone_ddi.ts
new file mode 100644
index 00000000000..85f8475d92a
--- /dev/null
+++ b/dev/domain/esql-evaluations/infoblox_bloxone_ddi.ts
@@ -0,0 +1,92 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const infoblox_bloxone_ddiEvaluations = {
+  integration: "infoblox_bloxone_ddi",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = client.user.id IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL OR host.hostname IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL, host.hostname,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, MV_FIRST(infoblox_bloxone_ddi.dns_data.source),
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", "host",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, "general",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, "config-source",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", event.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", event.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", dns.question.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", infoblox_bloxone_ddi.dns_config.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", "general",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", "dns-record",
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", "ip_lease",
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", infoblox_bloxone_ddi.dhcp_lease.address,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL, host.hostname,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", infoblox_bloxone_ddi.dns_config.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/jamf_pro.ts b/dev/domain/esql-evaluations/jamf_pro.ts
new file mode 100644
index 00000000000..0fbba67406e
--- /dev/null
+++ b/dev/domain/esql-evaluations/jamf_pro.ts
@@ -0,0 +1,90 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const jamf_proEvaluations = {
+  integration: "jamf_pro",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = (user.name IS NOT NULL AND event.action == "RestAPIOperation")
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL AND event.action == "RestAPIOperation", user.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.authorized_username,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action != "RestAPIOperation", "Jamf Pro",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "jamf_pro.events" AND host.id IS NOT NULL, host.id,
+    data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.udid IS NOT NULL, jamf_pro.events.event.udid,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_device.udid,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "jamf_pro.events" AND host.name IS NOT NULL, host.name,
+    data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.device_name IS NOT NULL, jamf_pro.events.event.device_name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_device.device_name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "jamf_pro.events" AND host.ip IS NOT NULL, host.ip,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_user.username,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_user.email,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_id,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPolicyFinished", jamf_pro.events.event.policy_id,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"), jamf_pro.events.event.jssid,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "DeviceAddedToDEP", jamf_pro.events.event.serial_number,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPatchPolicyCompleted", jamf_pro.events.event.patch_policy_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_name,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"), jamf_pro.events.event.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("JSSStartup", "JSSShutdown"), jamf_pro.events.event.jss_url,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_type_name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/linux.ts b/dev/domain/esql-evaluations/linux.ts
new file mode 100644
index 00000000000..ba26c9d26af
--- /dev/null
+++ b/dev/domain/esql-evaluations/linux.ts
@@ -0,0 +1,7 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const linuxEvaluations = {
+  integration: "linux",
+  evaluations: [
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/m365_defender.ts b/dev/domain/esql-evaluations/m365_defender.ts
new file mode 100644
index 00000000000..7e64507fb56
--- /dev/null
+++ b/dev/domain/esql-evaluations/m365_defender.ts
@@ -0,0 +1,114 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const m365_defenderEvaluations = {
+  integration: "m365_defender",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL OR user.domain IS NOT NULL
+    OR process.name IS NOT NULL OR process.user.name IS NOT NULL OR process.user.id IS NOT NULL
+    OR host.id IS NOT NULL OR host.name IS NOT NULL OR host.ip IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL, "service",
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL, "user",
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL, "host",
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL, "host",
+    data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL, "user",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.additional_fields.SourceAccountSid IS NOT NULL, m365_defender.event.additional_fields.SourceAccountSid,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_sid IS NOT NULL, m365_defender.event.initiating_process.account_sid,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_name IS NOT NULL, m365_defender.event.initiating_process.account_name,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND process.user.name IS NOT NULL, process.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "m365_defender.event" AND user.name IS NULL AND source.ip IS NOT NULL, source.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.action.type IS NOT NULL, m365_defender.event.action.type,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "m365_defender.event" AND event.action IN ("samr-query", "dns-query") AND m365_defender.event.additional_fields.DestinationComputerObjectGuid IS NOT NULL, m365_defender.event.additional_fields.DestinationComputerObjectGuid,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL, host.id,
+    data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.id IS NOT NULL, host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL, m365_defender.event.destination.device_name,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.name IS NOT NULL, host.name,
+    data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "m365_defender.event" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL, m365_defender.event.query.target,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL, application.name,
+    data_stream.dataset == "m365_defender.alert" AND m365_defender.alert.service_source IS NOT NULL, m365_defender.alert.service_source,
+    data_stream.dataset == "m365_defender.incident" AND m365_defender.incident.alert.service_source IS NOT NULL, m365_defender.incident.alert.service_source,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("m365_defender.event", "m365_defender.alert") AND file.hash.sha256 IS NOT NULL, file.hash.sha256,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/mergeEval.ts b/dev/domain/esql-evaluations/mergeEval.ts
new file mode 100644
index 00000000000..a69186f8ad3
--- /dev/null
+++ b/dev/domain/esql-evaluations/mergeEval.ts
@@ -0,0 +1,205 @@
+/** Parse and merge `| EVAL` snippets from integration evaluation constants. */
+
+export interface CaseBranch {
+  readonly condition: string;
+  readonly value: string;
+}
+
+export interface ParsedAssignment {
+  readonly column: string;
+  readonly hasPreserve: boolean;
+  readonly branches: readonly CaseBranch[];
+  readonly defaultValue: string;
+}
+
+const PRESERVE_RE = /^\S+\s+IS NOT NULL$/;
+
+export function splitTopLevel(input: string): string[] {
+  const parts: string[] = [];
+  let depth = 0;
+  let inString: '"' | "'" | null = null;
+  let start = 0;
+
+  for (let i = 0; i < input.length; i++) {
+    const c = input[i]!;
+    if (inString) {
+      if (c === "\\") {
+        i++;
+        continue;
+      }
+      if (c === inString) {
+        inString = null;
+      }
+      continue;
+    }
+    if (c === '"' || c === "'") {
+      inString = c;
+      continue;
+    }
+    if (c === "(") {
+      depth++;
+    } else if (c === ")") {
+      depth--;
+    } else if (c === "," && depth === 0) {
+      parts.push(input.slice(start, i).trim());
+      start = i + 1;
+    }
+  }
+
+  const tail = input.slice(start).trim();
+  if (tail.length > 0) {
+    parts.push(tail);
+  }
+  return parts;
+}
+
+function findMatchingParen(input: string, openIdx: number): number {
+  let depth = 0;
+  let inString: '"' | "'" | null = null;
+
+  for (let i = openIdx; i < input.length; i++) {
+    const c = input[i]!;
+    if (inString) {
+      if (c === "\\") {
+        i++;
+        continue;
+      }
+      if (c === inString) {
+        inString = null;
+      }
+      continue;
+    }
+    if (c === '"' || c === "'") {
+      inString = c;
+      continue;
+    }
+    if (c === "(") {
+      depth++;
+    } else if (c === ")") {
+      depth--;
+      if (depth === 0) {
+        return i;
+      }
+    }
+  }
+
+  throw new Error(`Unbalanced parentheses near: ${input.slice(openIdx, openIdx + 40)}`);
+}
+
+export function splitEvalAssignments(evalBody: string): { column: string; caseExpr: string }[] {
+  const body = evalBody.replace(/^\|\s*EVAL\s*\n?/, "").trim();
+  const assignments: { column: string; caseExpr: string }[] = [];
+  let cursor = 0;
+
+  while (cursor < body.length) {
+    while (cursor < body.length && /[\s,]/.test(body[cursor]!)) {
+      cursor++;
+    }
+    if (cursor >= body.length) {
+      break;
+    }
+
+    const caseMarker = body.indexOf(" = CASE(", cursor);
+    if (caseMarker === -1) {
+      break;
+    }
+
+    const column = body.slice(cursor, caseMarker).trim();
+    const openParen = caseMarker + " = CASE(".length - 1;
+    const closeParen = findMatchingParen(body, openParen);
+    const caseExpr = body.slice(caseMarker + " = ".length, closeParen + 1).trim();
+    assignments.push({ column, caseExpr });
+    cursor = closeParen + 1;
+  }
+
+  return assignments;
+}
+
+export function parseCaseExpression(column: string, caseExpr: string): ParsedAssignment {
+  if (!caseExpr.startsWith("CASE(") || !caseExpr.endsWith(")")) {
+    throw new Error(`Expected CASE(...) for column ${column}`);
+  }
+
+  const args = splitTopLevel(caseExpr.slice(5, -1));
+  let index = 0;
+  let hasPreserve = false;
+
+  if (args.length >= 2 && PRESERVE_RE.test(args[0]!) && args[1]!.trim() === column) {
+    hasPreserve = true;
+    index = 2;
+  }
+
+  const tail = args.slice(index);
+  let defaultValue = "null";
+  let branchArgs = tail;
+
+  if (tail.length % 2 === 1) {
+    defaultValue = tail[tail.length - 1]!.trim();
+    branchArgs = tail.slice(0, -1);
+  }
+
+  const branches: CaseBranch[] = [];
+  for (let i = 0; i < branchArgs.length; i += 2) {
+    branches.push({
+      condition: branchArgs[i]!.trim(),
+      value: branchArgs[i + 1]!.trim(),
+    });
+  }
+
+  return { column, hasPreserve, branches, defaultValue };
+}
+
+export function parseEvalSnippet(esql: string): ParsedAssignment[] {
+  return splitEvalAssignments(esql).map(({ column, caseExpr }) =>
+    parseCaseExpression(column, caseExpr),
+  );
+}
+
+export function mergeAssignments(
+  left: ParsedAssignment,
+  right: ParsedAssignment,
+): ParsedAssignment {
+  if (left.column !== right.column) {
+    throw new Error(`Column mismatch: ${left.column} vs ${right.column}`);
+  }
+
+  const seen = new Set<string>();
+  const branches: CaseBranch[] = [];
+
+  for (const branch of [...left.branches, ...right.branches]) {
+    const key = `${branch.condition}\0${branch.value}`;
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    branches.push(branch);
+  }
+
+  return {
+    column: left.column,
+    hasPreserve: left.hasPreserve || right.hasPreserve,
+    branches,
+    defaultValue: left.defaultValue || right.defaultValue || "null",
+  };
+}
+
+export function formatCaseAssignment(assignment: ParsedAssignment): string {
+  const parts: string[] = [];
+
+  if (assignment.hasPreserve) {
+    parts.push(`${assignment.column} IS NOT NULL`, assignment.column);
+  }
+
+  for (const branch of assignment.branches) {
+    parts.push(branch.condition, branch.value);
+  }
+
+  parts.push(assignment.defaultValue);
+
+  const lines = parts.map((part, idx) => {
+    const suffix = idx < parts.length - 1 ? "," : "";
+    return `    ${part}${suffix}`;
+  });
+
+  return `  ${assignment.column} = CASE(\n${lines.join("\n")}\n  )`;
+}
diff --git a/dev/domain/esql-evaluations/microsoft_dhcp.ts b/dev/domain/esql-evaluations/microsoft_dhcp.ts
new file mode 100644
index 00000000000..3403b8098fd
--- /dev/null
+++ b/dev/domain/esql-evaluations/microsoft_dhcp.ts
@@ -0,0 +1,90 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const microsoft_dhcpEvaluations = {
+  integration: "microsoft_dhcp",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.name = CASE(
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action != "rogue-server-detection" AND event.code != "1103" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.ip = CASE(
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action NOT IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted", "log-start", "log-end", "log-pause", "log-stop", "ip-cleanup-start", "ip-cleanup-end", "dhcpv6-cleanup-start", "dhcpv6-cleanup-end", "dhcpv6-stateless-clients-pruged", "dhcpv6-stateless-clients-expired", "rogue-server-detection") AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "microsoft_dhcp.log" AND microsoft.dhcp.duid.hex IS NOT NULL, microsoft.dhcp.duid.hex,
+    data_stream.dataset == "microsoft_dhcp.log" AND source.mac IS NOT NULL AND source.mac != "00-00-00-00-00-00", source.mac,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "microsoft_dhcp.log" AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND event.action != "rogue-server-detection", "host",
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL, source.domain,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted") AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed") AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcp-dns-update", "DNS dynamic update service",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit", "Microsoft DHCP service",
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL, source.domain,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"), "general",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"), "host",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed", "dhcpv6-solicit"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"), "ad-domain",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"), "ip_lease",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed"), "dns",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit", "dhcp",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/microsoft_intune.ts b/dev/domain/esql-evaluations/microsoft_intune.ts
new file mode 100644
index 00000000000..d31e1df3e36
--- /dev/null
+++ b/dev/domain/esql-evaluations/microsoft_intune.ts
@@ -0,0 +1,49 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const microsoft_intuneEvaluations = {
+  integration: "microsoft_intune",
+  evaluations: [
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "microsoft_intune.audit" AND user.email IS NOT NULL, user.email,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND microsoft_intune.audit.properties.target_object_ids IS NOT NULL, MV_FIRST(microsoft_intune.audit.properties.target_object_ids),
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND destination.domain IS NOT NULL, MV_FIRST(destination.domain),
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment" AND microsoft_intune.audit.properties.target_display_names IS NOT NULL, MV_FIRST(microsoft_intune.audit.properties.target_display_names),
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "microsoft_intune.audit", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy", "intune-policy",
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment", "entra-group",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "microsoft_intune.audit", "Microsoft Intune",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/openai.ts b/dev/domain/esql-evaluations/openai.ts
new file mode 100644
index 00000000000..b925672f2a2
--- /dev/null
+++ b/dev/domain/esql-evaluations/openai.ts
@@ -0,0 +1,84 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const openaiEvaluations = {
+  integration: "openai",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.user_id IS NOT NULL, openai.base.user_id,
+    null
+  ),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL, openai.base.api_key_id,
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions") AND openai.base.project_id IS NOT NULL AND openai.base.project_id != "", openai.base.project_id,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL, "api_key",
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions"), "project",
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "openai.images" AND openai.images.source IS NOT NULL, openai.images.source,
+    data_stream.dataset == "openai.completions", "completions",
+    data_stream.dataset == "openai.embeddings", "embeddings",
+    data_stream.dataset == "openai.moderations", "moderations",
+    data_stream.dataset == "openai.images", "images",
+    data_stream.dataset == "openai.audio_transcriptions", "audio_transcriptions",
+    data_stream.dataset == "openai.audio_speeches", "audio_speeches",
+    data_stream.dataset == "openai.vector_stores", "vector_stores",
+    data_stream.dataset == "openai.code_interpreter_sessions", "code_interpreter_sessions",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, openai.base.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, openai.base.model,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches", "openai.vector_stores", "openai.code_interpreter_sessions"), "OpenAI API",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "openai.vector_stores", "vector_store",
+    data_stream.dataset == "openai.code_interpreter_sessions", "code_interpreter_session",
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, "foundation_model",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/osquery.ts b/dev/domain/esql-evaluations/osquery.ts
new file mode 100644
index 00000000000..7afa2771896
--- /dev/null
+++ b/dev/domain/esql-evaluations/osquery.ts
@@ -0,0 +1,7 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const osqueryEvaluations = {
+  integration: "osquery",
+  evaluations: [
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/ping_federate.ts b/dev/domain/esql-evaluations/ping_federate.ts
new file mode 100644
index 00000000000..59edc4b7702
--- /dev/null
+++ b/dev/domain/esql-evaluations/ping_federate.ts
@@ -0,0 +1,70 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const ping_federateEvaluations = {
+  integration: "ping_federate",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("ping_federate.admin", "ping_federate.audit") AND source.ip IS NOT NULL, source.ip,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "ping_federate.admin" AND ping_federate.admin.component IS NOT NULL, ping_federate.admin.component,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.connection_id IS NOT NULL, ping_federate.audit.connection_id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "ping_federate.admin", "general",
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL, "user",
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL, "general",
+    data_stream.dataset == "ping_federate.audit", "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "ping_federate.admin", "configuration-component",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL, url.full,
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NULL AND ping_federate.audit.connection_id IS NULL, "PingFederate",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL, ping_federate.audit.local_user_id,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/ping_one.ts b/dev/domain/esql-evaluations/ping_one.ts
new file mode 100644
index 00000000000..06a1cb7e481
--- /dev/null
+++ b/dev/domain/esql-evaluations/ping_one.ts
@@ -0,0 +1,110 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const ping_oneEvaluations = {
+  integration: "ping_one",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed", "service",
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created"), "user",
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application."), "general",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "ping_one.audit" AND client.user.name IS NOT NULL, client.user.name,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, "application",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, "pingone_application",
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "ping_one.audit" AND source.ip IS NOT NULL, source.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.name IS NOT NULL, client.user.name,
+    null
+  ),
+  service.target.type = CASE(
+    service.target.type IS NOT NULL, service.target.type,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed", "pingone_application",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL, ping_one.audit.resources.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL, ping_one.audit.resources.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL, ping_one.audit.resources.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL, ping_one.audit.resources.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/prisma_cloud.ts b/dev/domain/esql-evaluations/prisma_cloud.ts
new file mode 100644
index 00000000000..7f1c7128ce3
--- /dev/null
+++ b/dev/domain/esql-evaluations/prisma_cloud.ts
@@ -0,0 +1,77 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const prisma_cloudEvaluations = {
+  integration: "prisma_cloud",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "prisma_cloud.audit" AND user.email IS NOT NULL, user.email,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.process_path IS NOT NULL, prisma_cloud.incident_audit.data.process_path,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "prisma_cloud.incident_audit", "process",
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.attack.type IS NOT NULL, prisma_cloud.incident_audit.data.attack.type,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "prisma_cloud.audit" AND event.action == "login", "Prisma Cloud CSPM console",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.name IS NOT NULL, MV_FIRST(container.name),
+    data_stream.dataset == "prisma_cloud.incident_audit" AND host.hostname IS NOT NULL, host.hostname,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL, container.id,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL, "container",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/qualys_vmdr.ts b/dev/domain/esql-evaluations/qualys_vmdr.ts
new file mode 100644
index 00000000000..4acadc44fd2
--- /dev/null
+++ b/dev/domain/esql-evaluations/qualys_vmdr.ts
@@ -0,0 +1,84 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const qualys_vmdrEvaluations = {
+  integration: "qualys_vmdr",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.name IS NOT NULL OR user.roles IS NOT NULL
+    OR source.ip IS NOT NULL
+    OR service.name IS NOT NULL OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login", "service",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request", "service",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.provider == "host_attribute", "host",
+    data_stream.dataset == "qualys_vmdr.asset_host_detection", "host",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND user.name IS NOT NULL, user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source IS NOT NULL, qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login", "Qualys VMDR",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request" AND message IS NOT NULL, message,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.id IS NOT NULL, host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.ip IS NOT NULL, host.ip,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND event.id IS NOT NULL, event.id,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/registry.ts b/dev/domain/esql-evaluations/registry.ts
new file mode 100644
index 00000000000..8b20da8471c
--- /dev/null
+++ b/dev/domain/esql-evaluations/registry.ts
@@ -0,0 +1,100 @@
+import type { IntegrationEvaluations } from "./types";
+
+import { aws_bedrockEvaluations } from "./aws_bedrock";
+import { aws_bedrock_agentcoreEvaluations } from "./aws_bedrock_agentcore";
+import { aws_cloudtrail_otelEvaluations } from "./aws_cloudtrail_otel";
+import { aws_securityhubEvaluations } from "./aws_securityhub";
+import { aws_vpcflow_otelEvaluations } from "./aws_vpcflow_otel";
+import { azure_ai_foundryEvaluations } from "./azure_ai_foundry";
+import { azure_app_serviceEvaluations } from "./azure_app_service";
+import { azure_openaiEvaluations } from "./azure_openai";
+import { checkpoint_emailEvaluations } from "./checkpoint_email";
+import { cisco_merakiEvaluations } from "./cisco_meraki";
+import { cisco_secure_email_gatewayEvaluations } from "./cisco_secure_email_gateway";
+import { cisco_umbrellaEvaluations } from "./cisco_umbrella";
+import { citrix_wafEvaluations } from "./citrix_waf";
+import { corelightEvaluations } from "./corelight";
+import { cyeraEvaluations } from "./cyera";
+import { darktraceEvaluations } from "./darktrace";
+import { entityanalytics_adEvaluations } from "./entityanalytics_ad";
+import { entityanalytics_oktaEvaluations } from "./entityanalytics_okta";
+import { extrahopEvaluations } from "./extrahop";
+import { forgerockEvaluations } from "./forgerock";
+import { fortinet_fortigateEvaluations } from "./fortinet_fortigate";
+import { gcp_vertexaiEvaluations } from "./gcp_vertexai";
+import { gitlabEvaluations } from "./gitlab";
+import { greenhouseEvaluations } from "./greenhouse";
+import { infoblox_bloxone_ddiEvaluations } from "./infoblox_bloxone_ddi";
+import { jamf_proEvaluations } from "./jamf_pro";
+import { linuxEvaluations } from "./linux";
+import { m365_defenderEvaluations } from "./m365_defender";
+import { microsoft_dhcpEvaluations } from "./microsoft_dhcp";
+import { microsoft_intuneEvaluations } from "./microsoft_intune";
+import { openaiEvaluations } from "./openai";
+import { osqueryEvaluations } from "./osquery";
+import { ping_federateEvaluations } from "./ping_federate";
+import { ping_oneEvaluations } from "./ping_one";
+import { prisma_cloudEvaluations } from "./prisma_cloud";
+import { qualys_vmdrEvaluations } from "./qualys_vmdr";
+import { salesforceEvaluations } from "./salesforce";
+import { servicenowEvaluations } from "./servicenow";
+import { slackEvaluations } from "./slack";
+import { snortEvaluations } from "./snort";
+import { snykEvaluations } from "./snyk";
+import { suricataEvaluations } from "./suricata";
+import { sysdigEvaluations } from "./sysdig";
+import { taniumEvaluations } from "./tanium";
+import { ti_mispEvaluations } from "./ti_misp";
+import { wizEvaluations } from "./wiz";
+import { zscaler_ziaEvaluations } from "./zscaler_zia";
+
+/** All integration evaluation snippets keyed by package code. */
+export const allIntegrationEvaluations = {
+  "aws_bedrock": aws_bedrockEvaluations,
+  "aws_bedrock_agentcore": aws_bedrock_agentcoreEvaluations,
+  "aws_cloudtrail_otel": aws_cloudtrail_otelEvaluations,
+  "aws_securityhub": aws_securityhubEvaluations,
+  "aws_vpcflow_otel": aws_vpcflow_otelEvaluations,
+  "azure_ai_foundry": azure_ai_foundryEvaluations,
+  "azure_app_service": azure_app_serviceEvaluations,
+  "azure_openai": azure_openaiEvaluations,
+  "checkpoint_email": checkpoint_emailEvaluations,
+  "cisco_meraki": cisco_merakiEvaluations,
+  "cisco_secure_email_gateway": cisco_secure_email_gatewayEvaluations,
+  "cisco_umbrella": cisco_umbrellaEvaluations,
+  "citrix_waf": citrix_wafEvaluations,
+  "corelight": corelightEvaluations,
+  "cyera": cyeraEvaluations,
+  "darktrace": darktraceEvaluations,
+  "entityanalytics_ad": entityanalytics_adEvaluations,
+  "entityanalytics_okta": entityanalytics_oktaEvaluations,
+  "extrahop": extrahopEvaluations,
+  "forgerock": forgerockEvaluations,
+  "fortinet_fortigate": fortinet_fortigateEvaluations,
+  "gcp_vertexai": gcp_vertexaiEvaluations,
+  "gitlab": gitlabEvaluations,
+  "greenhouse": greenhouseEvaluations,
+  "infoblox_bloxone_ddi": infoblox_bloxone_ddiEvaluations,
+  "jamf_pro": jamf_proEvaluations,
+  "linux": linuxEvaluations,
+  "m365_defender": m365_defenderEvaluations,
+  "microsoft_dhcp": microsoft_dhcpEvaluations,
+  "microsoft_intune": microsoft_intuneEvaluations,
+  "openai": openaiEvaluations,
+  "osquery": osqueryEvaluations,
+  "ping_federate": ping_federateEvaluations,
+  "ping_one": ping_oneEvaluations,
+  "prisma_cloud": prisma_cloudEvaluations,
+  "qualys_vmdr": qualys_vmdrEvaluations,
+  "salesforce": salesforceEvaluations,
+  "servicenow": servicenowEvaluations,
+  "slack": slackEvaluations,
+  "snort": snortEvaluations,
+  "snyk": snykEvaluations,
+  "suricata": suricataEvaluations,
+  "sysdig": sysdigEvaluations,
+  "tanium": taniumEvaluations,
+  "ti_misp": ti_mispEvaluations,
+  "wiz": wizEvaluations,
+  "zscaler_zia": zscaler_ziaEvaluations,
+} as const satisfies Record<string, IntegrationEvaluations>;
diff --git a/dev/domain/esql-evaluations/salesforce.ts b/dev/domain/esql-evaluations/salesforce.ts
new file mode 100644
index 00000000000..9ef4562fd1d
--- /dev/null
+++ b/dev/domain/esql-evaluations/salesforce.ts
@@ -0,0 +1,96 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const salesforceEvaluations = {
+  integration: "salesforce",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.roles IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "salesforce.setupaudittrail", salesforce.setup_audit_trail.created_by_id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset IN ("salesforce.login", "salesforce.logout"), user.email,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("salesforce.login", "salesforce.logout", "salesforce.apex"), source.ip,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.email,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.name,
+    null
+  ),
+  user.target.domain = CASE(
+    user.target.domain IS NOT NULL, user.target.domain,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.domain,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL, salesforce.login.application,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", "Salesforce",
+    data_stream.dataset == "salesforce.logout" AND event.action == "logout", "Salesforce",
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger", salesforce.apex.trigger_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", event.url,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-callout", event.url,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-external-custom-callout" AND salesforce.apex.entity IS NOT NULL, salesforce.apex.entity,
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution") AND salesforce.apex.class_name IS NOT NULL, salesforce.apex.class_name,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger" AND salesforce.apex.trigger_name IS NOT NULL, salesforce.apex.trigger_name,
+    data_stream.dataset == "salesforce.apex" AND salesforce.apex.entity_name IS NOT NULL, salesforce.apex.entity_name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", "service",
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Manage Users", "user",
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Connected Apps", "connected_app",
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-callout", "apex-external-custom-callout"), "URL",
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger", "apex_artifact",
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution"), "apex_artifact",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL, "connected_app",
+    data_stream.dataset == "salesforce.setupaudittrail", salesforce.setup_audit_trail.section,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/servicenow.ts b/dev/domain/esql-evaluations/servicenow.ts
new file mode 100644
index 00000000000..c615a16384c
--- /dev/null
+++ b/dev/domain/esql-evaluations/servicenow.ts
@@ -0,0 +1,32 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const servicenowEvaluations = {
+  integration: "servicenow",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.full_name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "servicenow.event" AND TO_BOOLEAN(servicenow.event.applied.value) == true, "cmdb-baseline-applied",
+    data_stream.dataset == "servicenow.event" AND servicenow.event.table_name IS NOT NULL, servicenow.event.table_name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/slack.ts b/dev/domain/esql-evaluations/slack.ts
new file mode 100644
index 00000000000..4fcff909c5e
--- /dev/null
+++ b/dev/domain/esql-evaluations/slack.ts
@@ -0,0 +1,80 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const slackEvaluations = {
+  integration: "slack",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.full_name IS NOT NULL OR user.email IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "slack.audit" AND event.action == "user_login", "service",
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", "user",
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", "file",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "slack.audit", user.full_name,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "slack.audit" AND event.action == "user_login", "Slack",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.name,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.email,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", slack.audit.entity.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", slack.audit.entity.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/snort.ts b/dev/domain/esql-evaluations/snort.ts
new file mode 100644
index 00000000000..c8620e9b784
--- /dev/null
+++ b/dev/domain/esql-evaluations/snort.ts
@@ -0,0 +1,67 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const snortEvaluations = {
+  integration: "snort",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "snort.log" AND source.ip IS NOT NULL, source.ip,
+    data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.id = CASE(
+    host.id IS NOT NULL, host.id,
+    data_stream.dataset == "snort.log" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.mac IS NOT NULL, source.mac,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL, rule.description,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "snort.log" AND destination.ip IS NOT NULL, destination.ip,
+    data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.address IS NOT NULL, destination.address,
+    data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.mac IS NOT NULL, destination.mac,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "snort.log" AND network.protocol IS NOT NULL AND network.protocol != "unknown", network.protocol,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL, rule.description,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/snyk.ts b/dev/domain/esql-evaluations/snyk.ts
new file mode 100644
index 00000000000..d2cdb775ec5
--- /dev/null
+++ b/dev/domain/esql-evaluations/snyk.ts
@@ -0,0 +1,80 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const snykEvaluations = {
+  integration: "snyk",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "service",
+    data_stream.dataset == "snyk.issues", "service",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "Snyk platform worker",
+    data_stream.dataset == "snyk.issues", "Snyk scanner",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "snyk.issues", snyk.issues.attributes.type,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL, "project",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create", "target",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create", "service_account",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "Snyk",
+    data_stream.dataset == "snyk.issues", "Snyk",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.user.invite", snyk.audit_logs.content.email,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL, snyk.audit_logs.project_id,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create", snyk.audit_logs.content.targetId,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create", snyk.audit_logs.content.serviceAccountPublicId,
+    data_stream.dataset == "snyk.issues", snyk.issues.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "snyk.issues", snyk.issues.attributes.title,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/suricata.ts b/dev/domain/esql-evaluations/suricata.ts
new file mode 100644
index 00000000000..03280ec658f
--- /dev/null
+++ b/dev/domain/esql-evaluations/suricata.ts
@@ -0,0 +1,83 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const suricataEvaluations = {
+  integration: "suricata",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip"), TO_STRING(destination.ip),
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    null
+  ),
+  host.id = CASE(
+    host.id IS NOT NULL, host.id,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip"), TO_STRING(destination.ip),
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    null
+  ),
+  host.mac = CASE(
+    host.mac IS NOT NULL, host.mac,
+    data_stream.dataset == "suricata.eve" AND source.mac IS NOT NULL, source.mac,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.type IS NOT NULL, dns.type,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "http" AND http.request.method IS NOT NULL, http.request.method,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "suricata.eve" AND destination.domain IS NOT NULL, destination.domain,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "suricata.eve" AND network.protocol IS NOT NULL, network.protocol,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.id IS NOT NULL, rule.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL, rule.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/sysdig.ts b/dev/domain/esql-evaluations/sysdig.ts
new file mode 100644
index 00000000000..6066030266d
--- /dev/null
+++ b/dev/domain/esql-evaluations/sysdig.ts
@@ -0,0 +1,103 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const sysdigEvaluations = {
+  integration: "sysdig",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall", sysdig.content.fields.user.uid,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall", sysdig.content.fields.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "sysdig.event" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset IN ("sysdig.cspm", "sysdig.vulnerability"), "Sysdig Secure",
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "sysdig.event" AND event.provider == "syscall" AND sysdig.event.content.fields.evt.type IS NOT NULL, sysdig.event.content.fields.evt.type,
+    data_stream.dataset == "sysdig.event" AND event.provider == "aws_cloudtrail" AND sysdig.event.content.fields.aws.event_name IS NOT NULL, sysdig.event.content.fields.aws.event_name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall" AND process.name IS NOT NULL, process.name,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.id IS NOT NULL, container.id,
+    data_stream.dataset == "sysdig.event" AND orchestrator.resource.name IS NOT NULL, orchestrator.resource.name,
+    data_stream.dataset == "sysdig.vulnerability", resource.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail", cloud.account.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.name IS NOT NULL, container.name,
+    data_stream.dataset == "sysdig.alerts" AND sysdig.content.fields.container.name IS NOT NULL, sysdig.content.fields.container.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND orchestrator.resource.name IS NOT NULL, orchestrator.resource.name,
+    data_stream.dataset == "sysdig.event" AND sysdig.event.content.fields.fd.name IS NOT NULL, sysdig.event.content.fields.fd.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND (container.id IS NOT NULL OR container.name IS NOT NULL), "container",
+    data_stream.dataset == "sysdig.cspm", sysdig.cspm.control.resource_kind,
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "containerImage", "container-image",
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "host", "host",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.vulnerability") AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND event.provider == "aws_cloudtrail", event.provider,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail" AND cloud.account.id IS NOT NULL, cloud.account.id,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/tanium.ts b/dev/domain/esql-evaluations/tanium.ts
new file mode 100644
index 00000000000..3768fc6cb38
--- /dev/null
+++ b/dev/domain/esql-evaluations/tanium.ts
@@ -0,0 +1,80 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const taniumEvaluations = {
+  integration: "tanium",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "tanium.action_history", tanium.action_history.issuer,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.table IS NULL, tanium.threat_response.event.name,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "tanium.action_history", TO_STRING(tanium.action_history.action.id),
+    data_stream.dataset == "tanium.endpoint_config", TO_STRING(tanium.endpoint_config.item.id),
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.eid IS NOT NULL, tanium.threat_response.state.target.eid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "tanium.action_history", tanium.action_history.action.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "tanium.action_history", "tanium-action",
+    data_stream.dataset == "tanium.endpoint_config", tanium.endpoint_config.item.domain,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "tanium.endpoint_config", tanium.endpoint_config.item.data_category,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.hostname IS NOT NULL, tanium.threat_response.state.target.hostname,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.state.target.hostname IS NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "tanium.threat_response" AND source.ip IS NOT NULL, source.ip,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/ti_misp.ts b/dev/domain/esql-evaluations/ti_misp.ts
new file mode 100644
index 00000000000..954afaa4321
--- /dev/null
+++ b/dev/domain/esql-evaluations/ti_misp.ts
@@ -0,0 +1,108 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const ti_mispEvaluations = {
+  integration: "ti_misp",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, user.email,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, user.email,
+    null
+  ),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.uuid IS NOT NULL, misp.orgc.uuid,
+    data_stream.dataset == "ti_misp.threat_attributes" AND user.email IS NULL AND misp.event.orgc_id IS NOT NULL, TO_STRING(misp.event.orgc_id),
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.name IS NOT NULL, misp.orgc.name,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, "user",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NULL, "organization",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, "reporting_user",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri") AND threat.indicator.url.domain IS NOT NULL, threat.indicator.url.domain,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND threat.feed.name IS NOT NULL, threat.feed.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst|port", "domain|ip") AND threat.indicator.ip IS NOT NULL, threat.indicator.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("domain", "hostname", "domain|ip") AND threat.indicator.url.domain IS NOT NULL, threat.indicator.url.domain,
+    null
+  ),
+  host.target.port = CASE(
+    host.target.port IS NOT NULL, host.target.port,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "ip-dst|port" AND threat.indicator.port IS NOT NULL, threat.indicator.port,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst") AND threat.indicator.email.address IS NOT NULL, threat.indicator.email.address,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "sha256" AND threat.indicator.file.hash.sha256 IS NOT NULL, threat.indicator.file.hash.sha256,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "md5" AND threat.indicator.file.hash.md5 IS NOT NULL, threat.indicator.file.hash.md5,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("sha1", "filename|sha1") AND threat.indicator.file.hash.sha1 IS NOT NULL, threat.indicator.file.hash.sha1,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.uuid IS NOT NULL, misp.attribute.uuid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "regkey" AND threat.indicator.registry.key IS NOT NULL, threat.indicator.registry.key,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst|port", "domain|ip", "hostname", "domain"), "host",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst"), "user",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri"), "service",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("md5", "sha256", "sha1", "filename|sha256", "filename|sha1", "regkey"), "general",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/types.ts b/dev/domain/esql-evaluations/types.ts
new file mode 100644
index 00000000000..878cd159d9f
--- /dev/null
+++ b/dev/domain/esql-evaluations/types.ts
@@ -0,0 +1,11 @@
+/** One `| EVAL` step from Pass 4 domain documentation. */
+export interface EvaluationSnippet {
+  readonly id: string;
+  readonly section: string;
+  readonly esql: string;
+}
+
+export interface IntegrationEvaluations {
+  readonly integration: string;
+  readonly evaluations: readonly EvaluationSnippet[];
+}
diff --git a/dev/domain/esql-evaluations/wiz.ts b/dev/domain/esql-evaluations/wiz.ts
new file mode 100644
index 00000000000..138ba8e9682
--- /dev/null
+++ b/dev/domain/esql-evaluations/wiz.ts
@@ -0,0 +1,111 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const wizEvaluations = {
+  integration: "wiz",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = (
+      user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+      OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+      OR service.id IS NOT NULL OR service.name IS NOT NULL
+      OR entity.id IS NOT NULL OR entity.name IS NOT NULL
+    )
+    AND NOT (
+      data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture")
+      AND resource.type == "USER_ACCOUNT"
+    ),
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.id IS NOT NULL, wiz.audit.service_account.id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.name IS NOT NULL, wiz.audit.service_account.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "wiz.audit" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset IN ("wiz.vulnerability", "wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture"), "Wiz",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "wiz.audit" AND event.action IN ("user-login", "login"), "Wiz",
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.id IS NOT NULL, wiz.defend.primary_resource.id,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.id IS NOT NULL, wiz.issue.entity_snapshot.id,
+    data_stream.dataset == "wiz.vulnerability" AND resource.id IS NOT NULL, resource.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.name IS NOT NULL, wiz.defend.primary_resource.name,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.name IS NOT NULL, wiz.issue.entity_snapshot.name,
+    data_stream.dataset == "wiz.vulnerability" AND resource.name IS NOT NULL, resource.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.type IS NOT NULL, wiz.defend.primary_resource.type,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.native_type IS NOT NULL, wiz.issue.entity_snapshot.native_type,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "wiz.vulnerability" AND device.id IS NOT NULL, device.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type IN ("POD", "VIRTUAL_MACHINE") AND resource.id IS NOT NULL, resource.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "wiz.vulnerability" AND host.name IS NOT NULL, host.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "POD" AND resource.name IS NOT NULL, resource.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "VIRTUAL_MACHINE" AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "wiz.defend" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.id IS NOT NULL, user.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.name IS NOT NULL, user.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/esql-evaluations/zscaler_zia.ts b/dev/domain/esql-evaluations/zscaler_zia.ts
new file mode 100644
index 00000000000..003c30d9d43
--- /dev/null
+++ b/dev/domain/esql-evaluations/zscaler_zia.ts
@@ -0,0 +1,90 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const zscaler_ziaEvaluations = {
+  integration: "zscaler_zia",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL OR user.domain IS NOT NULL
+    OR host.name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("zscaler_zia.audit", "zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.dns", "zscaler_zia.endpoint_dlp"), user.email,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.dns", "zscaler_zia.firewall", "zscaler_zia.tunnel"), source.ip,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "zscaler_zia.dns" AND zscaler_zia.dns.request.action IS NOT NULL, TO_LOWER(zscaler_zia.dns.request.action),
+    data_stream.dataset == "zscaler_zia.tunnel" AND zscaler_zia.tunnel.action.type IS NOT NULL, TO_LOWER(REPLACE(zscaler_zia.tunnel.action.type, " ", "-")),
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "zscaler_zia.audit" AND event.action IN ("sign_out", "activate"), "ZIA Admin Portal",
+    data_stream.dataset == "zscaler_zia.web", zscaler_zia.web.app.name,
+    data_stream.dataset == "zscaler_zia.alerts", zscaler_zia.alerts.log_feed_name,
+    data_stream.dataset IN ("zscaler_zia.dns", "zscaler_zia.firewall") AND network.application IS NOT NULL, network.application,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "zscaler_zia.audit", rule.name,
+    data_stream.dataset == "zscaler_zia.dns", dns.question.name,
+    data_stream.dataset == "zscaler_zia.endpoint_dlp" AND zscaler_zia.endpoint_dlp.item.destination_name IS NOT NULL, zscaler_zia.endpoint_dlp.item.destination_name,
+    data_stream.dataset IN ("zscaler_zia.endpoint_dlp", "zscaler_zia.sandbox_report"), file.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "zscaler_zia.audit", rule.category,
+    data_stream.dataset == "zscaler_zia.dns", "dns_name",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "zscaler_zia.audit", "general",
+    data_stream.dataset == "zscaler_zia.web", "service",
+    data_stream.dataset == "zscaler_zia.dns", "general",
+    data_stream.dataset == "zscaler_zia.endpoint_dlp", "general",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "zscaler_zia.web" AND url.domain IS NOT NULL, url.domain,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.tunnel"), destination.ip,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
diff --git a/dev/domain/p1/aws_bedrock.md b/dev/domain/p1/aws_bedrock.md
new file mode 100644
index 00000000000..f21f048d99b
--- /dev/null
+++ b/dev/domain/p1/aws_bedrock.md
@@ -0,0 +1,419 @@
+# aws_bedrock
+
+## Product Domain (Amazon Bedrock LLM)
+
+Amazon Bedrock is AWS's fully managed generative AI service that provides unified API access to foundation models from Amazon and third-party providers (Anthropic, Meta, Mistral, and others). Organizations use Bedrock to run text, chat, embedding, and image workloads through operations such as `InvokeModel`, `Converse`, and streaming variants, optionally applying Amazon Bedrock Guardrails for content safety, policy enforcement, and responsible-AI controls. Models can be customized with fine-tuning and Retrieval Augmented Generation (RAG), and agents can orchestrate multi-step tasks against enterprise data sources.
+
+Bedrock exposes operational telemetry at two levels. Model invocation logging (ModelInvocationLog schema v1.0) captures full request and response payloads, token counts, model identifiers, errors, and metadata for each API call when logging is enabled to Amazon S3 or CloudWatch Logs. CloudWatch metrics in the `AWS/Bedrock` and `AWS/Bedrock/Guardrails` namespaces provide time-series aggregates for invocation volume, latency, throttling, client/server errors, token and image counts, and guardrail intervention rates.
+
+From a security and observability perspective, Bedrock is a critical control point for AI workload governance. Security and platform teams monitor who invokes which models, prompt and completion content, token consumption, error patterns, guardrail interventions, and API availability. The Elastic Amazon Bedrock integration collects invocation logs via S3 or CloudWatch and runtime/guardrail metrics via AWS CloudWatch using Elastic Agent, normalizing events into ECS and `gen_ai.*` fields for SIEM correlation, AI usage analytics, latency alerting, and compliance review.
+
+## Data Collected (brief)
+
+- **Invocation logs** (`aws_bedrock.invocation`): Model invocation logs from S3 or CloudWatch (`ModelInvocationLog` v1.0), including model ID, request ID, input/output bodies (prompts, completions, messages, image generation config), input/output token counts, errors, task type, and S3/CloudWatch source metadata; mapped to `gen_ai.*` fields (prompt, completion, usage, request/response model metadata, performance, security scores).
+- **Runtime metrics** (`aws_bedrock.runtime`): CloudWatch metrics from `AWS/Bedrock`—invocation counts, latency, client/server errors, throttles, input/output token counts, output image counts, and legacy model invocations; dimensions include model ID, image size, and quality.
+- **Guardrails metrics** (`aws_bedrock.guardrails`): CloudWatch metrics from `AWS/Bedrock/Guardrails`—guardrail invocation counts, latency, client/server errors, throttles, text unit utilization, and invocations where guardrails intervened; dimensions include guardrail ARN, version, policy type, content source, and operation (`ApplyGuardrail`).
+
+## Expected Audit Log Entities
+
+The Amazon Bedrock integration spans three data streams with different actor/target semantics. **`invocation`** delivers per-request Model Invocation Logs (`ModelInvocationLog` v1.0) from S3 or CloudWatch — true audit-adjacent API logs with AWS caller identity, model identifiers, full prompt/completion payloads, and guardrail trace details. **`runtime`** and **`guardrails`** are CloudWatch metric time series (Metricbeat `cloudwatch` metricset; `event.kind: metric` implied) with model or guardrail dimensions but no caller principal. No ECS `user.name`, `*.target.*`, `related.*`, or `destination.user.*` / `destination.host.*` mapping today. **`event.action` is populated on `invocation` only** — renamed from vendor `operation` (`InvokeModel`, `Converse`, `InvokeModelWithResponseStream`, `ConverseStream` in fixtures). **`runtime`** has no per-event action; **`guardrails`** retains vendor `aws_bedrock.guardrails.operation` (`ApplyGuardrail`) but does not map it to `event.action`. Layer 1 platform target **`cloud.service.name: bedrock`** is statically set on **`invocation`** only; metric streams infer Bedrock from `aws.cloudwatch.namespace` without promoting to `cloud.service.name`. Evidence: `packages/aws_bedrock/data_stream/*/sample_event.json`, `data_stream/*/fields/fields.yml`, `data_stream/invocation/elasticsearch/ingest_pipeline/default.yml`, `data_stream/invocation/_dev/test/pipeline/test-aws-bedrock.log-expected.json`, and runtime/guardrails ingest pipelines; only the invocation stream has pipeline test fixtures. The target-fields audit classified this package as **`none`** for actor/target enhancement (`dev/target-fields-audit/out/target_enhancement_packages.csv`); no `destination_identity_hits.csv` row.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `InvokeModel` | api_call | high | `test-aws-bedrock.log-expected.json`: `event.action: InvokeModel` (L3913); raw `operation` in `event.original` | **`invocation`** — synchronous model invocation |
+| `InvokeModelWithResponseStream` | api_call | high | `sample_event.json`, multiple expected fixtures (e.g. L2215, L3028) | **`invocation`** — streaming model invocation |
+| `Converse` | api_call | high | Expected fixtures (e.g. L2377, L2546, L3746) | **`invocation`** — Converse API (non-streaming) |
+| `ConverseStream` | api_call | high | Expected fixtures (e.g. L4065, L4225, L4391) | **`invocation`** — Converse streaming variant |
+| `ApplyGuardrail` | api_call | high | `guardrails/sample_event.json` L20: `aws_bedrock.guardrails.operation: ApplyGuardrail` | **`guardrails`** — CloudWatch dimension for guardrail API; vendor-only, not ECS `event.action` |
+| *(no per-event action)* | — | high | `runtime/sample_event.json` — no `event.action`; pipeline renames counters and dimensions only | **`runtime`** — CloudWatch time-bucketed aggregates; no auditable verb per document |
+
+Guardrail **policy outcomes** inside invocation payloads (`gen_ai.compliance.action: BLOCKED`, trace `action: BLOCKED`) describe content-moderation results, not the Bedrock API operation — distinct from `event.action`.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `aws_bedrock.invocation.operation` → `event.action` | yes | yes | `InvokeModel`, `Converse`, `InvokeModelWithResponseStream`, `ConverseStream` | no | Invocation pipeline L39–42: `rename` to `event.action`; vendor path removed after rename; `test-aws-bedrock.log-expected.json`, `sample_event.json` |
+| `event.action` | yes (invocation only) | yes | see row above | no | Populated in all invocation fixtures; absent from runtime and guardrails samples |
+| `aws_bedrock.guardrails.operation` | no | n/a | `ApplyGuardrail` | yes | Guardrails pipeline L44–47: renames `aws.dimensions.Operation` → vendor field only; `guardrails/sample_event.json` L20 |
+| `gen_ai.compliance.action` / trace `action` | no | n/a | `BLOCKED` | no | Guardrail policy outcome inside invocation bodies — not an API operation name |
+| `aws.cloudwatch.namespace` | no | n/a | — | no | `AWS/Bedrock` / `AWS/Bedrock/Guardrails` — metric namespace context, not per-event action |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `invocation` | yes | yes | `aws_bedrock.invocation.operation` → `event.action` | high | `invocation/elasticsearch/ingest_pipeline/default.yml` L39–42; `test-aws-bedrock.log-expected.json` |
+| `runtime` | no | no | — (no per-event action) | high | `runtime/elasticsearch/ingest_pipeline/default.yml` — metric renames only; `runtime/sample_event.json` |
+| `guardrails` | no | no | `aws_bedrock.guardrails.operation` (`ApplyGuardrail`) | high | `guardrails/elasticsearch/ingest_pipeline/default.yml` L44–47; `guardrails/sample_event.json` L20 |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| IAM user principal | user | — | high | `aws_bedrock.invocation.identity.arn` → `user.id` and `gen_ai.user.id` in invocation pipeline (`default.yml` L43–46, L582–584); fixtures include `arn:aws:iam::111111111111:user/john.doe@example.com`, `.../user/andrew.kroh@elastic.co`, `.../user/shashank` (`test-aws-bedrock.log-expected.json`, `sample_event.json`) | **`invocation`** — full IAM user ARN is the caller; not split into `user.name` or account ID subfields |
+| STS assumed-role session | user | assumed_role | high | `user.id` / `gen_ai.user.id` values such as `arn:aws:sts::123456789012:assumed-role/DUMMYROLE/dummyuser` and `arn:aws:sts::795142007471:assumed-role/BEDROCKPLAYGROUNDACCESS/uwga` in pipeline fixtures | **`invocation`** — role and session name embedded in ARN; no separate ECS role fields |
+| Integration collector | service | — | low | Elastic Agent S3/CloudWatch or Metricbeat AWS credentials in stream config; not indexed on events | Implicit poller for all streams |
+
+**No actor identity in schema or samples:** **`runtime`** — CloudWatch aggregates keyed by `aws_bedrock.runtime.model_id` and image dimensions only. **`guardrails`** — CloudWatch aggregates keyed by guardrail ARN/version/policy dimensions only; no IAM or STS principal. **`invocation`** conversational `messages[].role: user` is chat turn role, not an AWS security principal. **`cloud.account.id`** and **`cloud.region`** (`accountId` / `region` rename, L47–54) are tenancy scope context, not actors.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `aws_bedrock.invocation.identity.arn` | Caller IAM/STS ARN (vendor source) | no | n/a | high | Renamed to `user.id` in pipeline L43–46; vendor path removed after rename |
+| `user.id` | Caller principal ARN | yes | yes | high | Populated from `identity.arn` in fixtures (e.g. `sample_event.json` L2297–2299) |
+| `gen_ai.user.id` | GenAI caller mirror | yes | yes | high | Copied from `user.id` when present (`default.yml` L582–584) |
+| `cloud.account.id` | AWS account scope | yes | yes | high | Renamed from `accountId` (`default.yml` L47–50); scope context, not actor |
+| `cloud.region` | AWS region scope | yes | yes | high | Renamed from `region` (`default.yml` L51–54) |
+| `user.name` / `user.email` / `client.user.*` | Parsed principal attributes | no | n/a | — | Not set; ARN not decomposed |
+| `related.user` | Actor cross-reference | no | n/a | — | Not used |
+| `destination.user.*` / `destination.host.*` | De-facto target identity | no | n/a | — | Not used (`destination_identity_hits.csv` has no `aws_bedrock` row) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | The cloud API invoked | Amazon Bedrock | service | — | high | `cloud.service.name: bedrock` statically set in invocation pipeline (`default.yml` L27–29); present in `sample_event.json` L2223–2225 | **`invocation`** only — runtime/guardrails infer Bedrock from `aws.cloudwatch.namespace` (`AWS/Bedrock`, `AWS/Bedrock/Guardrails`) but do not set `cloud.service.name` |
+| 2 — Resource / object | Foundation model consumed | Named Bedrock model ID | service | — | high | `aws_bedrock.invocation.model_id`, `gen_ai.request.model.id` / `.type` / `.version` (e.g. `anthropic.claude-3-haiku-20240307-v1:0`); runtime dimension `aws_bedrock.runtime.model_id` | **`invocation`** — per-request model; **`runtime`** — metric slice by model ID |
+| 2 — Resource / object | Bedrock API operation | InvokeModel, Converse, etc. | general | api_method | high | `event.action` from `operation` (`InvokeModel`, `InvokeModelWithResponseStream`, `Converse`, `ConverseStream` in fixtures) | **`invocation`** — API surface invoked |
+| 2 — Resource / object | Amazon Bedrock Guardrail | Guardrail policy resource | service | — | high | `gen_ai.guardrail_id` (short IDs from trace); `gen_ai.policy.*`, `gen_ai.compliance.violation_*`; guardrails metric dimension `aws_bedrock.guardrails.guardrail_arn` | **`invocation`** — per-request guardrail outcomes; **`guardrails`** — aggregated by ARN/version/policy facets |
+| 2 — Resource / object | Attached media / RAG document | S3-backed input document | general | s3_object | moderate | PDF `document.source.s3Uri` in `input.input_body_json.messages` (e.g. `...19926a63-..._input_media_00.pdf` in fixtures); `input.messages_content_kinds: document/pdf` | **`invocation`** — not mapped to ECS `file.*` or `url.*` |
+| 2 — Resource / object | Agent tool | Downstream tool name | general | tool | moderate | `tool_use` / `tool_result` blocks in agentic-workflow fixtures; names such as `agikthomas-basicmaths-time-weather-ag::add_two_numbers` | **`invocation`** — embedded in message content, not ECS-mapped |
+| 3 — Content / artifact | Model invocation instance | Per-call request/response IDs | general | ai_request | high | `aws_bedrock.invocation.request_id`, `gen_ai.request.id`; `gen_ai.response.id` (e.g. `msg_01L3WcyJkxCgmHpMiLRhSYvf`) | **`invocation`** — auditable correlation identifiers |
+| 3 — Content / artifact | Prompt and completion payload | LLM input/output content | general | ai_content | high | `gen_ai.prompt`, `gen_ai.completion`, `aws_bedrock.invocation.output.completion_text`; token counts under `gen_ai.usage.*` | **`invocation`** — full bodies when under size limits; massive payloads hashed/truncated |
+| 3 — Content / artifact | Runtime metric aggregate | CloudWatch usage bucket | general | usage_bucket | high | `@timestamp`, `metricset.period`, `aws_bedrock.runtime.invocations`, latency/token/image counters; dimensions `image_size`, `quality`, `bucketed_step_size` | **`runtime`** — pre-aggregated slice, not per-request audit target |
+| 3 — Content / artifact | Guardrail metric aggregate | Guardrail intervention bucket | general | usage_bucket | high | `@timestamp`, `aws_bedrock.guardrails.invocations`, `.invocations_intervened`, `.text_unit_count`, `.invocation_latency` | **`guardrails`** — pre-aggregated counters |
+
+**No meaningful audit target:** **`runtime`** and **`guardrails`** individual prompts, completions, or caller principals — metrics expose counts and latency only. **`invocation`** does not index separate Bedrock Agent or Knowledge Base resource ARNs when absent from the ModelInvocationLog schema.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `cloud.service.name` | 1 | service | yes (invocation) | yes | `service.target.name` | partial | Static `bedrock` in invocation pipeline L27–29; `sample_event.json` L2223–2225; identifies invoked platform but not in `service.target.*` |
+| `aws.cloudwatch.namespace` | 1 | service | yes (metrics) | partial | `service.target.name` | yes | `AWS/Bedrock` / `AWS/Bedrock/Guardrails` in runtime/guardrails `sample_event.json`; namespace implies Bedrock but no `cloud.service.name` set |
+| `event.action` | 2 | general (api_method) | yes | yes | context-only | no | Renamed from `operation` (`default.yml` L39–42); API method invoked |
+| `aws_bedrock.invocation.model_id` | 2 | service | yes | yes | `gen_ai.request.model.id` / `service.target.entity.id` | yes | Vendor canonical model ID; also copied to `gen_ai.request.model.id` L433–437 |
+| `gen_ai.request.model.id` / `.type` / `.version` | 2 | service | yes | yes | `gen_ai.request.model.id` | partial | Populated in fixtures; natural Layer 2 target but not in `service.target.*` |
+| `gen_ai.guardrail_id` | 2 | service | yes | partial | `service.target.entity.id` | yes | Short guardrail IDs extracted from trace (`get_guardrail_details` script L632–641); not full guardrail ARN |
+| `aws_bedrock.guardrails.guardrail_arn` | 2 | service | yes | yes | `service.target.entity.id` | yes | Guardrails metric dimension (`guardrails/default.yml` L57–59); full ARN in `fields.yml` |
+| `aws_bedrock.guardrails.operation` | 2 | general (api_method) | yes | yes | context-only | no | `ApplyGuardrail` in `guardrails/sample_event.json` L20 |
+| `gen_ai.request.id` / `gen_ai.response.id` | 3 | general (ai_request) | yes | yes | context-only | no | Per-invocation correlation IDs (`default.yml` L482–491) |
+| `gen_ai.prompt` / `gen_ai.completion` | 3 | general (ai_content) | yes | yes | context-only | no | Remarshaled request/response bodies; truncated when massive |
+| `aws_bedrock.invocation.output.completion_text` | 3 | general (ai_content) | yes | yes | context-only | no | Human-readable completion extract (`default.yml` L704–781) |
+| `aws_bedrock.runtime.model_id` | 2 | service | partial | yes | `gen_ai.request.model.id` | partial | Metric dimension only when present in CloudWatch sample; aggregation target, not per-request |
+| `cloud.account.id` / `cloud.region` | — | — | yes | yes | context-only | no | Tenancy scope, not target entity |
+| `user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` | — | — | no | n/a | — | no | Not populated (`target_enhancement_packages.csv`: all `has_*_target` false) |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+
+### Gaps and mapping notes
+
+- **`event.action` gap on guardrails** — vendor `aws_bedrock.guardrails.operation` (`ApplyGuardrail`) is present in fixtures but not copied to ECS `event.action`. Enhancement: map `aws_bedrock.guardrails.operation` → `event.action` on guardrails metric stream (or document that metric streams intentionally omit per-event action).
+- **Invocation action mapping is correct** — `aws_bedrock.invocation.operation` → `event.action` via pipeline rename (L39–42); vendor path is consumed and not retained separately; raw `operation` remains in `event.original`.
+- **Layer 1 partially covered:** Invocation sets `cloud.service.name: bedrock` correctly as the invoked platform target (L27–29), but runtime/guardrails rely on `aws.cloudwatch.namespace` without promoting to `cloud.service.name` — enhancement would unify Layer 1 across all streams.
+- **No official ECS target fields:** Model ID, guardrail ID/ARN, and `cloud.service.name` semantically represent targets but sit in context/`gen_ai.*`/`cloud.*` fields rather than `service.target.*` or `entity.target.*` — aligns with audit classification **`none`**.
+- **Vendor identity not retained:** `aws_bedrock.invocation.identity.arn` is renamed to `user.id` and the vendor path is not preserved separately; `event.original` holds the raw JSON for forensics.
+- **ARN not decomposed:** `user.id` carries the full IAM/STS ARN but `user.name`, `user.email`, and role/session subfields are not extracted — partial actor enrichment opportunity.
+- **Chat role homonym:** `messages[].role: user` in input bodies is conversational turn role, not the AWS security principal mapped to `user.id`.
+- **Guardrail policy action vs API action:** `gen_ai.compliance.action: BLOCKED` and trace-level `action: BLOCKED` are moderation outcomes — do not substitute for `event.action`.
+- **Metrics dimensions ≠ audit targets:** Per classification rule 10, `aws_bedrock.runtime.model_id` and guardrail ARN dimensions on metric events are aggregation slices, not per-request acted-upon entities.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, no pipeline maps affected entities to `destination.user.*` or `destination.host.*`.
+- **Guardrail ID vs ARN gap:** Invocation logs expose short guardrail IDs in trace; full guardrail ARN appears only on guardrails metric stream — `service.target.entity.id` enhancement should consider both forms.
+
+### Per-stream notes
+
+#### invocation
+
+Model Invocation Logs via S3 or CloudWatch (`aws-s3` / `aws-cloudwatch` inputs). Pipeline parses JSON into `aws_bedrock.invocation`, statically sets **`cloud.service.name: bedrock`** (Layer 1 target), renames `operation` → **`event.action`**, promotes `identity.arn` → `user.id` / `gen_ai.user.id`, and enriches `gen_ai.*` for prompts, completions, usage, performance, and guardrail compliance. **`event.action`** values: `InvokeModel`, `InvokeModelWithResponseStream`, `Converse`, `ConverseStream`. Actor is **user** (IAM user or assumed-role session ARN). Targets layer as: Layer 1 **Amazon Bedrock** (`cloud.service.name`); Layer 2 **foundation model** (`gen_ai.request.model.id`) and optional **guardrail**; Layer 3 **invocation instance** (`request_id`) and **content** (prompt/completion).
+
+#### runtime
+
+CloudWatch time series from `AWS/Bedrock` namespace (Metricbeat `cloudwatch` metricset). Pipeline renames `aws.bedrock.metrics.*` → `aws_bedrock.runtime.*` and CloudWatch dimensions → `model_id`, `image_size`, `quality`. No actor; no **`event.action`** (no per-event action). Layer 1 inferred from `aws.cloudwatch.namespace: AWS/Bedrock` only — no `cloud.service.name`. Layer 2 target context is **model ID** (and optional image-generation dimensions) within a metric period.
+
+#### guardrails
+
+CloudWatch time series from `AWS/Bedrock/Guardrails` namespace. Pipeline renames guardrail metrics and dimensions including **guardrail ARN**, **version**, **policy type**, and **content source**; **`aws_bedrock.guardrails.operation`** holds `ApplyGuardrail` but is not mapped to **`event.action`**. No actor; Layer 1 inferred from namespace; Layer 2 target is the **guardrail resource** aggregate for the collection period.
+
+## Example Event Graph
+
+Examples below come from the **`invocation`** stream (Model Invocation Logs — audit-adjacent per-request API logs with caller identity and `event.action`) and the **`runtime`** / **`guardrails`** metric streams (CloudWatch time-bucketed aggregates). The metric streams have no caller principal and no ECS `event.action`; they do not support a meaningful per-event Actor → action → Target chain — see the note after Example 2.
+
+### Example 1: IAM user streams a model invocation
+
+**Stream:** `aws_bedrock.invocation` · **Fixture:** `packages/aws_bedrock/data_stream/invocation/sample_event.json`
+
+```
+IAM user (andrew.kroh@elastic.co) → InvokeModelWithResponseStream → Claude 3 Haiku foundation model
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `arn:aws:iam::144492464627:user/andrew.kroh@elastic.co` |
+| type | user |
+| sub_type | iam_user |
+
+**Field sources:**
+- `id` ← `user.id` (renamed from `aws_bedrock.invocation.identity.arn` in ingest pipeline)
+- `sub_type` ← inferred from IAM user ARN pattern in fixture (`arn:aws:iam::…:user/…`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | InvokeModelWithResponseStream |
+| source_field | `event.action` |
+| source_value | `InvokeModelWithResponseStream` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `anthropic.claude-3-haiku-20240307-v1:0` |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `id` ← `gen_ai.request.model.id` (also `aws_bedrock.invocation.model_id`)
+- Invoked platform scope: `cloud.service.name` = `bedrock` (Layer 1 — not the primary acted-upon resource)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: andrew.kroh@elastic.co"] --> E["InvokeModelWithResponseStream"]
+  E --> T["Target: anthropic.claude-3-haiku-20240307-v1:0"]
+```
+
+### Example 2: Assumed-role session uses ConverseStream API
+
+**Stream:** `aws_bedrock.invocation` · **Fixture:** `packages/aws_bedrock/data_stream/invocation/_dev/test/pipeline/test-aws-bedrock.log-expected.json` (ConverseStream event, `@timestamp` 2024-10-11T12:15:04.000Z)
+
+```
+STS assumed-role session → ConverseStream → dummy-model-v1
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `arn:aws:sts::123456789012:assumed-role/DUMMYROLE/dummyuser` |
+| type | user |
+| sub_type | assumed_role |
+
+**Field sources:**
+- `id` ← `user.id` / `gen_ai.user.id` (from `identity.arn` in ModelInvocationLog)
+- `sub_type` ← STS assumed-role ARN pattern (`assumed-role/DUMMYROLE/dummyuser`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ConverseStream |
+| source_field | `event.action` |
+| source_value | `ConverseStream` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `dummy-model-v1` |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `id` ← `gen_ai.request.model.id` (from `modelId` in raw log)
+- Invoked platform scope: `cloud.service.name` = `bedrock`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: DUMMYROLE/dummyuser"] --> E["ConverseStream"]
+  E --> T["Target: dummy-model-v1"]
+```
+
+### Metric streams (`runtime`, `guardrails`) — no per-event graph
+
+**Fixtures:** `packages/aws_bedrock/data_stream/runtime/sample_event.json`, `packages/aws_bedrock/data_stream/guardrails/sample_event.json`
+
+CloudWatch metric documents are time-bucketed aggregates (`metricset.period: 300000` ms) with no IAM/STS caller and no per-request target. Example values from fixtures: `aws_bedrock.runtime.invocations: 5`, `aws_bedrock.guardrails.invocations: 6`, `aws_bedrock.guardrails.operation: ApplyGuardrail` (vendor-only — **not mapped to ECS `event.action` today**). These streams expose usage and latency counters for dashboards and alerting, not auditable Actor → action → Target chains.
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `aws_bedrock`, three `data_stream/` directories with Tier A `sample_event.json` fixtures; invocation also has `test-aws-bedrock.log-expected.json` pipeline tests). Router: **`data_stream.dataset`** (`aws_bedrock.invocation`, `aws_bedrock.runtime`, `aws_bedrock.guardrails` per `packages/aws_bedrock/data_stream/*/sample_event.json`). Pass 4 v2 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; mapped columns use **column-level** **5-arg** `CASE(<col> IS NOT NULL, <col>, <boolean guard>, <fallback>, null)` — never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_vendor_field, null)` (bare field parses as a **condition**) or `CASE(actor_exists|target_exists|action_exists, <col>, …)` (a populated sibling actor/target/action field must not block fallbacks on an empty column; Pass 4 §10). Ingest populates **`user.id`** and **`event.action`** on **`invocation`** only; **`cloud.service.name`**, **`gen_ai.request.model.*`**, and **`service.target.*`** are not set at ingest — fallbacks promote Layer 1 platform + Layer 2 foundation model per Pass 2/3. **`runtime`** and **`guardrails`** are CloudWatch metric aggregates (no IAM caller, no per-request target) — **actor/target `EVAL` excluded**; optional **`event.action`** fallback on **`guardrails`** from vendor `aws_bedrock.guardrails.operation` when ECS action is empty.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `aws_bedrock.invocation` | Model Invocation Log (S3 / CloudWatch) | user | service | full |
+| `aws_bedrock.runtime` | CloudWatch `AWS/Bedrock` metrics | — | — | none |
+| `aws_bedrock.guardrails` | CloudWatch `AWS/Bedrock/Guardrails` metrics | — | — | none (action fallback only) |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `identity.arn` → `user.id` at ingest | `data_stream.dataset == "aws_bedrock.invocation"` | high | **ingest-only — no ES|QL** — `default.yml` L43–46; vendor path not indexed after rename (Pass 4 rule 10) |
+| `entity.sub_type` | ARN pattern on `user.id` | `data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL` | medium | **semantic literal** — `iam_user` vs `assumed_role` (Pass 3); only when `entity.sub_type` empty |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `cloud.service.name` | `data_stream.dataset == "aws_bedrock.invocation"` | high | **vendor fallback** — static `bedrock` (`default.yml` L27–29; `sample_event.json` L2223–2225) |
+| `service.target.id` | `gen_ai.request.model.id` | `data_stream.dataset == "aws_bedrock.invocation"` | high | **vendor fallback** — foundation model (Pass 3 Examples 1–2) |
+| `service.target.type` | `gen_ai.request.model.type` | `data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.type IS NOT NULL` | high | **vendor fallback** — parsed from model ID prefix (`default.yml` L440–445) |
+| `service.target.sub_type` | literal `"foundation_model"` | `data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL` | medium | **semantic literal** — Pass 3 target sub_type |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "aws_bedrock.invocation"` | high | **preserve existing** — `operation` → `event.action` at ingest |
+| `event.action` | `aws_bedrock.guardrails.operation` | `data_stream.dataset == "aws_bedrock.guardrails"` | high | **vendor fallback** — `ApplyGuardrail` in `guardrails/sample_event.json` L20; not mapped at ingest (Pass 2 enhancement) |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Predicate note:** On **`invocation`**, `actor_exists` and `action_exists` are typically true when `identity.arn` and `operation` are present; `target_exists` is false until fallbacks promote `cloud.service.name` / `gen_ai.request.model.id` into `service.target.*`. On metric streams, all three flags are typically false except optional guardrails `event.action` fallback.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(service.target.name IS NOT NULL, service.target.name, cloud.service.name, null)` (4 args — `cloud.service.name` is a **condition**). Wrong: `CASE(target_exists, service.target.name, data_stream.dataset == "aws_bedrock.invocation" AND cloud.service.name IS NOT NULL, cloud.service.name, null)` (blocks `service.target.name` when only `service.target.id` is set). Right: **5-arg** `CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "aws_bedrock.invocation" AND cloud.service.name IS NOT NULL, cloud.service.name, null)`. `entity.sub_type` already uses column-level preserve. Detection flags are helpers only — not first `CASE` branches on mapped columns.
+
+### Optional classification helpers (when needed)
+
+```esql
+| EVAL
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:sts:*:assumed-role/*", "assumed_role",
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:iam:*:user/*", "iam_user",
+    null
+  ),
+  service.target.sub_type = CASE(
+    service.target.sub_type IS NOT NULL, service.target.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, "foundation_model",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+**`user.id`** is ingest-only (`identity.arn` → `user.id`); no alternate indexed source for a preserve-first `CASE` — omit from actor `EVAL` (Pass 4 rule 10). IAM principal subtype uses **`entity.sub_type`** in [Optional classification helpers](#optional-classification-helpers-when-needed) above.
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock.guardrails" AND aws_bedrock.guardrails.operation IS NOT NULL, aws_bedrock.guardrails.operation,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock.invocation" AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, gen_ai.request.model.id,
+    null
+  ),
+  service.target.type = CASE(
+    service.target.type IS NOT NULL, service.target.type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.type IS NOT NULL, gen_ai.request.model.type,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:sts:*:assumed-role/*", "assumed_role",
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:iam:*:user/*", "iam_user",
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock.guardrails" AND aws_bedrock.guardrails.operation IS NOT NULL, aws_bedrock.guardrails.operation,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock.invocation" AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, gen_ai.request.model.id,
+    null
+  ),
+  service.target.type = CASE(
+    service.target.type IS NOT NULL, service.target.type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.type IS NOT NULL, gen_ai.request.model.type,
+    null
+  ),
+  service.target.sub_type = CASE(
+    service.target.sub_type IS NOT NULL, service.target.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, "foundation_model",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, entity.sub_type, service.target.name, service.target.id, service.target.sub_type
+```
+
+### Streams excluded
+
+- **`aws_bedrock.runtime`** — CloudWatch `AWS/Bedrock` time-bucketed aggregates (`metricset.period`); `aws_bedrock.runtime.model_id` is a dimension slice, not a per-request acted-upon entity (Pass 2 rule 10).
+- **`aws_bedrock.guardrails`** — actor/target excluded: no IAM/STS principal; `aws_bedrock.guardrails.guardrail_arn` is a metric dimension only. **`event.action`** fallback above applies when querying guardrails metrics alongside invocation logs.
+
+### Gaps and limitations
+
+- **Pass 4 CASE syntax** — action/target blocks and the full pipeline fragment use column-level **5-arg** / **7-arg** `CASE(<col> IS NOT NULL, <col>, <boolean>, <fallback>, null)`; `entity.sub_type` uses **7-arg** column-level preserve. Never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` or `CASE(actor_exists|target_exists|action_exists, <col>, …)` on mapped columns. Detection flags are query-time helpers only. `service.target.sub_type` uses column-level preserve (not `target_exists` — `sub_type` is excluded from the `target_exists` predicate).
+- **Unscoped `FROM logs-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset == …`), not a top-level `WHERE`.
+- **`user.id`** — **ingest-only**; no ES|QL `CASE` (tautology if fallback repeats `user.id`).
+- **`user.name` / `user.email`** — full IAM/STS ARN in `user.id` only; ARN not decomposed at ingest — omit (Pass 2).
+- **`gen_ai.guardrail_id` / `aws_bedrock.guardrails.guardrail_arn`** — Layer 2 guardrail targets omitted (short ID vs full ARN ambiguity; guardrails stream is aggregate-only).
+- **`messages[].role: user`** — conversational turn role in input bodies, not AWS security principal — do not map to `user.*`.
+- **`gen_ai.compliance.action`** — guardrail policy outcome (`BLOCKED`), not API operation — do not substitute for `event.action`.
+- **Metric Layer 1** — `aws.cloudwatch.namespace` on runtime/guardrails implies Bedrock but is not promoted to `cloud.service.name` or `service.target.name` without per-event semantics.
+- **Pass 2 alignment** — `target_enhancement_packages.csv` classified **`none`**; ingest-time `*.target.*` remains preferred; Pass 4 fills `service.target.*` without overwriting populated values.
diff --git a/dev/domain/p1/aws_bedrock_agentcore.md b/dev/domain/p1/aws_bedrock_agentcore.md
new file mode 100644
index 00000000000..0910135f4df
--- /dev/null
+++ b/dev/domain/p1/aws_bedrock_agentcore.md
@@ -0,0 +1,512 @@
+# aws_bedrock_agentcore
+
+## Product Domain (Amazon Bedrock AgentCore)
+
+Amazon Bedrock AgentCore is a fully managed AWS platform for building, deploying, and operating intelligent agents with any framework or foundation model, without managing underlying agent infrastructure. It is composed of modular capabilities—Runtime, Gateway, Memory, Identity, Observability, Code Interpreter, and Browser Tool—that let teams focus on agent workflows and integrations with enterprise systems and data.
+
+Runtime hosts agent execution and exposes endpoints for invocation. Gateway routes agent requests to external tools and targets such as AWS Lambda and MCP (Model Context Protocol) servers. Memory provides durable, strategy-based storage for conversation history, user preferences, and other agent context. Identity handles workload and resource access tokens, API key retrieval, and inbound authorization for agent operations. Code Interpreter and Browser Tool extend agents with sandboxed code execution and browser automation, including human-in-the-loop takeover controls.
+
+AWS surfaces AgentCore observability through CloudWatch metrics in the `AWS/Bedrock-AgentCore` namespace and application logs written to CloudWatch Logs (or exportable to S3). Metrics cover invocations, sessions, latency, errors, throttling, token usage, target execution, and identity operations across all major components. Application logs capture runtime prompts and payloads, memory read/write activity, and gateway tool invocations with trace and session context.
+
+The Elastic integration collects AgentCore metrics via CloudWatch and application logs via CloudWatch or S3 using Elastic Agent. This enables platform and security teams to monitor agent performance and availability, troubleshoot errors and throttling, audit identity and authorization activity, track token consumption, and investigate agent behavior—including prompts, memory operations, and external tool calls—for operational and governance use cases.
+
+## Data Collected (brief)
+
+- **Metrics** (`aws_bedrock_agentcore.metrics`): CloudWatch time series from `AWS/Bedrock-AgentCore` on a configurable period (default 5m); covers Agent runtime, Gateway, Memory, Identity, Browser Tool, and Code Interpreter.
+- **Runtime performance**: Invocations, sessions, latency, duration, token counts, target execution time, and target-type breakdowns (Lambda, MCP).
+- **Errors and throttling**: System errors, user errors, throttles, and component-specific error/throttle signals (gateway, memory, browser, code interpreter).
+- **Identity and authorization**: Inbound authorization success/failure, API key fetch outcomes, workload and resource access token fetch success/failure/throttles, and Identity Service call/throttle counts.
+- **Browser Tool**: User takeover and release counts, takeover duration, and session throttles.
+- **Dimensions**: Operation, Resource ARN, AgentId, EndpointName, SessionId, agent name, and endpoint name; plus AWS account and region context.
+- **Runtime application logs** (`aws_bedrock_agentcore.runtime_application_logs`): Agent execution events from CloudWatch or S3—operation name, agent/endpoint identity, session and conversation IDs, request/response payloads (including prompts), resource ARN, trace/span IDs, and outcome.
+- **Memory application logs** (`aws_bedrock_agentcore.memory_application_logs`): Memory operations from CloudWatch or S3—memory name/strategy, namespace, actor and session IDs, operation name, and payload details (including conversation content for preference/history strategies).
+- **Gateway application logs** (`aws_bedrock_agentcore.gateway_application_logs`): Gateway routing and tool invocation events from CloudWatch or S3—gateway name, target, tool name, request ID, resource ARN, and payload/error status.
+
+## Expected Audit Log Entities
+
+The Amazon Bedrock AgentCore integration spans four data streams: three **application log** streams (`runtime_application_logs`, `memory_application_logs`, `gateway_application_logs`) and one **metrics** stream (`metrics`). Application logs are OpenTelemetry-style JSON from AgentCore Runtime, Memory, and Gateway components—not AWS CloudTrail administrative audit records. They capture agent invocations, memory read/write activity, and gateway tool routing with request payloads, session context, and distributed trace IDs. CloudWatch metrics in `AWS/Bedrock-AgentCore` provide audit-adjacent time-series aggregates for runtime, gateway, memory, identity, browser, and code-interpreter operations. Actor identity is an **application-scoped `actor_id`** (customer or session partition within the agent), not an IAM principal or Cognito user. The integration sets `cloud.provider`, `cloud.service.name`, `trace.id`, `span.id`, `service.name`, and `event.outcome` but does not populate ECS `user.*`, `*.target.*`, `related.*`, or `destination.*` today. No `destination.user.*` / `destination.host.*` in pipelines (`destination_identity_hits.csv` has no row for this package). **`event.action` is populated only on `gateway_application_logs`** (tool name from grok on log text, e.g. `DocumentRetrieval___fetch_order_details`); runtime and memory streams retain vendor `operation` / static `operation_name` under `aws.bedrock_agentcore.*` but do not map to ECS `event.action`. **`metrics`** has no per-event action (`event.kind: metric`; CloudWatch `Operation` dimension only). Evidence: `packages/aws_bedrock_agentcore/data_stream/*/sample_event.json`, `*/_dev/test/pipeline/*-expected.json`, `*/elasticsearch/ingest_pipeline/default.yml`, `*/fields/fields.yml`. The target-fields audit classifies this package as **`moderate_candidate`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `InvokeAgentRuntime` | api_call | high | `runtime_application_logs/sample_event.json`, all `test-aws-bedrock-agentcore*.log-expected.json`: `aws.bedrock_agentcore.operation: InvokeAgentRuntime` | **`runtime_application_logs`** — vendor OTel `operation` field; AgentCore runtime API invocation |
+| `invoke_agent` | api_call | high | Runtime pipeline `set_operation` (L142–145); fixtures: `operation_name: invoke_agent` | **`runtime_application_logs`** — static GenAI operation label set by pipeline; coarser than `InvokeAgentRuntime` |
+| `invoke_memory` | data_access | high | Memory pipeline `set_operation` (L112–115); `test-aws-bedrock-agentcore-memory.log-expected.json`: `operation_name: invoke_memory` | **`memory_application_logs`** — static GenAI operation for memory read/write activity |
+| `DocumentRetrieval___fetch_order_details` | api_call | high | `gateway_application_logs/_dev/test/pipeline/test-aws-bedrock-agentcore-gateway.log-expected.json`: `event.action` ← grok `tool.name` | **`gateway_application_logs`** — downstream tool invocation name; only stream with ECS `event.action` populated |
+| `invoke_gateway` | api_call | high | Gateway pipeline `set_operation` (L151–154); gateway fixture: `operation_name: invoke_gateway` | **`gateway_application_logs`** — static GenAI operation for gateway routing; distinct from per-tool `event.action` |
+| *(no per-event action)* | — | high | `metrics/sample_event.json` — no `event.action`; pipeline renames counters and splits dimensions only | **`metrics`** — CloudWatch time-bucketed aggregates; `aws.dimensions.Operation` (e.g. `InvokeAgentRuntime`) describes the metric slice, not a single auditable verb |
+
+Runtime and memory logs expose two action facets: vendor **`operation`** (`InvokeAgentRuntime` from raw JSON) and pipeline-static **`operation_name`** (`invoke_agent`, `invoke_memory`). Gateway logs expose three facets: static **`invoke_gateway`**, grok-extracted **tool name** (mapped to `event.action`), and free-text **`payload_object.log`** (e.g. `Processing request for tool … from target …`).
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `aws.bedrock_agentcore.gateway.tool.name` → `event.action` | yes | yes | `DocumentRetrieval___fetch_order_details` | no | Gateway pipeline L140–144: `set_event_action_from_tool` copies tool name when grok matches `tool {name} from target {id}`; `test-aws-bedrock-agentcore-gateway.log-expected.json` |
+| `aws.bedrock_agentcore.operation` | no | n/a | `InvokeAgentRuntime` | yes | Runtime raw JSON field preserved in fixtures; vendor-native API operation name — best primary candidate for runtime stream |
+| `aws.bedrock_agentcore.operation_name` | no | n/a | `invoke_agent` | yes | Runtime pipeline L142–145: static `set`; GenAI-normalized label; alternate if shorter action names preferred |
+| `aws.bedrock_agentcore.memory.operation_name` | no | n/a | `invoke_memory` | yes | Memory pipeline L112–115: static `set`; only action field on memory stream |
+| `aws.bedrock_agentcore.gateway.operation_name` | no | n/a | `invoke_gateway` | partial | Gateway pipeline L151–154: static GenAI operation; supplementary to tool-level `event.action` |
+| `aws.bedrock_agentcore.gateway.payload_object.log` | no | n/a | *(free-text)* | partial | Unstructured log line; grok source for tool name; not suitable as direct `event.action` without parsing |
+| `aws.dimensions.Operation` (metrics) | no | n/a | `InvokeAgentRuntime` (when present) | no | CloudWatch dimension on metric events; aggregation slice, not per-event action |
+| `event.action` | partial (gateway only) | yes (gateway) | see rows above | yes (runtime, memory) | Populated on **`gateway_application_logs`** only; absent from runtime, memory, and metrics fixtures |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `runtime_application_logs` | no | no | `aws.bedrock_agentcore.operation` (`InvokeAgentRuntime`); alternate: `operation_name` (`invoke_agent`) | high | `runtime_application_logs/elasticsearch/ingest_pipeline/default.yml` L142–145 sets `operation_name` only; fixtures retain `operation` from raw JSON |
+| `memory_application_logs` | no | no | `aws.bedrock_agentcore.memory.operation_name` (`invoke_memory`) | high | `memory_application_logs/elasticsearch/ingest_pipeline/default.yml` L112–115; `test-aws-bedrock-agentcore-memory.log-expected.json` |
+| `gateway_application_logs` | yes | yes | `aws.bedrock_agentcore.gateway.tool.name` → `event.action` | high | `gateway_application_logs/elasticsearch/ingest_pipeline/default.yml` L132–144; `test-aws-bedrock-agentcore-gateway.log-expected.json` |
+| `metrics` | no | no | — (no per-event action) | high | `metrics/elasticsearch/ingest_pipeline/default.yml` — dimension split only; `metrics/sample_event.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Application actor | user | — | high | `aws.bedrock_agentcore.request_payload.actor_id` in runtime `sample_event.json` and `test-aws-bedrock-agentcore.log-expected.json` (`DEFAULT`); `aws.bedrock_agentcore.memory.actor_id` in memory samples (`DEFAULT`, `PREMIUM`); field definitions in both `fields/fields.yml` | **`runtime_application_logs`**, **`memory_application_logs`** — end-user or customer partition ID supplied by the agent application; not an AWS IAM principal |
+| Agent session | general | agent_session | moderate | `aws.bedrock_agentcore.session_id`, `conversation_id` (copied from `session_id` in pipelines); raw OTel `session.id` in `event.original` | **`runtime_application_logs`**, **`memory_application_logs`** — correlates invocations within a session; supplementary to `actor_id` |
+| Distributed trace context | general | trace | moderate | `trace.id`, `span.id` from OTel fields; present in runtime and gateway fixtures | **`runtime_application_logs`**, **`gateway_application_logs`** — cross-component correlation; not a security principal |
+
+**No actor identity in schema or samples:** **`gateway_application_logs`** — gateway tool events carry `request_id` and trace context only; no `actor_id` or caller principal. **`metrics`** — CloudWatch time-series aggregates keyed by dimension labels; no user or session dimensions. AWS account (`cloud.account.id`) is tenancy scope, not an interactive actor. Elastic Agent collector credentials are not indexed on events.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `aws.bedrock_agentcore.request_payload.actor_id` | Runtime application actor | no (vendor-only) | n/a | high | `fields.yml` description: "Actor initiating the request"; populated in runtime fixtures |
+| `aws.bedrock_agentcore.memory.actor_id` | Memory operation actor | no (vendor-only) | n/a | high | Top-level memory field; `test-aws-bedrock-agentcore-memory.log-expected.json`: `PREMIUM` |
+| `aws.bedrock_agentcore.session_id` / `conversation_id` | Session correlation | no (vendor-only) | n/a | high | Pipelines copy `session_id` → `conversation_id`; not ECS `session.id` |
+| `trace.id` / `span.id` | Distributed trace correlation | yes | yes (context) | high | Runtime/gateway pipelines rename OTel `traceId`/`spanId` or `trace_id`/`span_id` |
+| `service.name` | Agent/endpoint or component identity | yes | partial | high | Runtime: dissected into `agent_name`/`endpoint_name` (e.g. `customersupport.DEFAULT`); memory/gateway: component resource name — describes deployed service, not caller |
+| `cloud.account.id` | AWS tenancy scope | yes (runtime, gateway, metrics) | yes (scope) | high | Runtime/gateway: `account_id` rename; metrics: Metricbeat collection |
+| `cloud.provider` / `cloud.service.name` | Cloud platform context | yes | yes (scope) | high | Static `aws` / `bedrock-agentcore` in all log pipelines |
+| Raw `attributes.actor.id` (memory) | OTel actor attribute | no (stripped) | n/a | medium | Present in memory `event.original` (`"actor.id":"PREMIUM"`) but not promoted to ECS `user.id` |
+| `user.*` / `related.user` | Security principal | no | n/a | high | Absent from all fixtures and pipelines |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Invoked AWS platform | Amazon Bedrock AgentCore | service | — | high | `cloud.service.name: bedrock-agentcore` set statically in all log pipelines | All application log streams |
+| 2 — Resource / object | AgentCore component or downstream tool target | Runtime endpoint; Memory resource; Gateway; Lambda/MCP target | service / general | tool_target, memory_strategy | high | `resource_arn`, `agent_name`/`endpoint_name`, `memory_name`, `gateway_name`, `gateway.target` | Layer 2 varies by stream (see Per-stream notes) |
+| 3 — Content / artifact | Prompt, response, conversation, or tool invocation | User prompt; agent response; memory conversations; gateway tool call | general | ai_content, api_request, tool | high | `request_payload.prompt`, `response_payload_object`, `payload_object.currentConversations[]`, `event.action` (tool name) | Runtime and memory carry richest Layer 3 content |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `cloud.service.name` | 1 | service | yes | yes (context) | context-only | yes | Static `bedrock-agentcore` in runtime/memory/gateway pipelines (`set_cloud_service_name`) |
+| `service.name` | 2 | service | yes | partial | `service.target.name` | yes | Runtime: agent endpoint (`customersupport.DEFAULT`); memory/gateway: resource component name from OTel attributes |
+| `aws.bedrock_agentcore.resource_arn` | 2 | service | no (vendor-only) | n/a | `entity.target.id` | yes | Runtime/memory/gateway ARN (e.g. `...:runtime/customersupport-3OutfrDDJ3`) |
+| `aws.bedrock_agentcore.agent_name` / `endpoint_name` | 2 | service | no (vendor-only) | n/a | `service.target.name` | yes | Dissected from `service.name` in runtime pipeline |
+| `aws.bedrock_agentcore.memory.memory_name` / `memory_strategy` / `namespace` | 2 | general | no (vendor-only) | n/a | `entity.target.*` | yes | Memory pipeline grok/dissect; namespace embeds actor segment (e.g. `sales/customer/PREMIUM/history`) |
+| `aws.bedrock_agentcore.gateway.gateway_name` / `resource_arn` | 2 | service | no (vendor-only) | n/a | `entity.target.id` | yes | Gateway pipeline grok from ARN |
+| `aws.bedrock_agentcore.gateway.tool.name` | 3 | general | no (vendor-only) | n/a | context-only | no | Grok from `payload_object.log`; copied to `event.action` |
+| `aws.bedrock_agentcore.gateway.target` | 2 | general | no (vendor-only) | n/a | `entity.target.id` | yes | Grok from log pattern `tool {name} from target {id}`; fixture: `XYZPROD001` |
+| `event.action` | 3 | general | yes (gateway) | yes | context-only | no | Gateway pipeline copies tool name (e.g. `DocumentRetrieval___fetch_order_details`) |
+| `aws.bedrock_agentcore.operation` / `operation_name` | 3 | general | no (vendor-only) | n/a | context-only | no | Runtime: `InvokeAgentRuntime` / `invoke_agent`; gateway: `invoke_gateway`; memory: `invoke_memory` |
+| `aws.bedrock_agentcore.request_payload.prompt` / `request_payload_object` | 3 | general | no (vendor-only) | n/a | context-only | no | Auditable prompt; large prompts truncated with `prompt_hash` (>32 KB) |
+| `aws.bedrock_agentcore.response_payload_object` | 3 | general | no (vendor-only) | n/a | context-only | no | Response array/object in `test-aws-bedrock-agentcore-response-array.log-expected.json` |
+| `aws.bedrock_agentcore.memory.payload_object.currentConversations[]` | 3 | general | no (vendor-only) | n/a | context-only | no | Conversation turns with `role: USER`/`ASSISTANT` — chat roles, not security actors |
+| `aws.bedrock_agentcore.request_id` / `memory.request_id` / `gateway.request_id` | 3 | general | no (vendor-only) | n/a | context-only | no | Per-request correlation IDs |
+| `aws.bedrock_agentcore.metrics.*` (dimensions) | 2 | service / general | yes (metrics) | partial | context-only | no | CloudWatch aggregates: `Invocations`, `TargetType_LAMBDA`, `TargetType_MCP`, identity token counters — metric slices, not per-event targets |
+| `*.target.*` / `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | n/a | Not populated; package absent from `target_fields_audit.csv` and `destination_identity_hits.csv` |
+
+### Gaps and mapping notes
+
+- **`event.action` gap on runtime and memory** — vendor `operation` (`InvokeAgentRuntime`) and static `operation_name` (`invoke_agent`, `invoke_memory`) are present in fixtures but not copied to ECS `event.action`. Enhancement: map `aws.bedrock_agentcore.operation` → `event.action` on runtime (prefer vendor API name over static label); map `aws.bedrock_agentcore.memory.operation_name` → `event.action` on memory.
+- **Gateway action is tool-specific, not operation-level** — `event.action` holds the downstream tool name (e.g. `DocumentRetrieval___fetch_order_details`), not the gateway operation (`invoke_gateway`). Both facets are useful; consider retaining `operation_name` as vendor field when promoting tool name to `event.action`.
+- **Gateway grok pattern is narrow** — pipeline extracts `tool.name` and `target` only from logs matching `Processing request for tool {name} from target {id}`. Sample event line `Executing tool LambdaUsingSDK___check_warranty_status from target SYAKFOFFNO` does not populate those fields or `event.action`; fixture uses the `Processing request for tool ...` pattern.
+- **No ECS actor mapping** — canonical actor identity is vendor-only `actor_id` (`request_payload.actor_id` or `memory.actor_id`). Raw OTel `attributes.actor.id` in memory logs is not promoted to `user.id` or `gen_ai.user.id`. Enhancement: map application `actor_id` → `user.id` (or `user.name` when not UUID-like) with documentation that it is application-scoped, not IAM.
+- **No ECS `*.target.*` today** — richest target identity lives under `aws.bedrock_agentcore.*` vendor fields (`resource_arn`, `gateway.target`, `agent_name`/`endpoint_name`, memory `namespace`). Enhancement: promote ARNs and gateway targets to `entity.target.id` / `service.target.name`.
+- **`cloud.service.name` is Layer 1 context, not caller** — statically set to `bedrock-agentcore`; correctly identifies invoked platform but should not appear under Actor.
+- **Memory `currentConversations[].role: USER`** — chat turn role, not the security actor; actor is `memory.actor_id`.
+- **No IAM / Cognito / STS principal** — unlike `aws_bedrock` invocation logs (`identity.arn` → `user.id`), AgentCore application logs do not expose AWS caller identity.
+- **Metrics are audit-adjacent only** — identity token fetch and inbound-authorization counters support security monitoring but lack per-request actor/target/action; CloudWatch dimensions (`Operation`, `Resource ARN`, `AgentId`, `SessionId`) are aggregation slices.
+- **Target-fields audit alignment** — `moderate_candidate`: strong vendor actor/target fields in application logs (`vendor_target_special_cases.csv` flags `gateway.target`, metrics `TargetType_*`), but no ECS target tier-A mapping and no pipeline actor ECS promotion.
+
+### Per-stream notes
+
+#### runtime_application_logs
+
+CloudWatch or S3 application logs from AgentCore Runtime. Pipeline parses JSON into `aws.bedrock_agentcore.*`, promotes `account_id` → `cloud.account.id`, trace/span IDs, and dissects `service.name` into agent and endpoint. **Action:** vendor `operation: InvokeAgentRuntime` retained; pipeline sets static `operation_name: invoke_agent` but **does not map to `event.action`**. Actor: **user** via application **`actor_id`** plus **agent_session** correlation (`session_id` / `conversation_id`). Target Layer 1: **Bedrock AgentCore** (`cloud.service.name`). Layer 2: **runtime resource** (`resource_arn`, `agent_name`, `endpoint_name`). Layer 3: **prompt/response content** and **`request_id`**. `event.outcome` reflects pipeline errors only; successful invocations with null response still mark success.
+
+#### memory_application_logs
+
+CloudWatch or S3 logs from AgentCore Memory. Pipeline groks `memory_name` from ARN, derives `memory_strategy` from `memory_strategy_id`, and flattens `body` → `payload_object`. **Action:** static `operation_name: invoke_memory`; **no `event.action`**. Actor: **`actor_id`** (often mirrored in `namespace`, e.g. `.../PREMIUM/...`). Target Layer 2: **memory resource**, **strategy**, **namespace partition**. Layer 3: **conversation content** in `payload_object.currentConversations`. `event.outcome` derives from `payload_object.isError`. No `cloud.account.id` in memory pipeline (only `cloud.provider`/`cloud.service.name`).
+
+#### gateway_application_logs
+
+CloudWatch or S3 logs from AgentCore Gateway. Pipeline groks `gateway_name` from ARN and extracts **`tool.name`** and **`target`** from `payload_object.log` via pattern `tool {name} from target {id}`. **Action:** **`event.action`** = tool name (e.g. `DocumentRetrieval___fetch_order_details`); static `operation_name: invoke_gateway` retained separately. Actor: none indexed — gateway acts on behalf of an agent; correlate via `trace.id` to runtime logs. Target Layer 2: **gateway resource** and external **tool target** (`gateway.target`). Layer 3: **tool invocation** content in `payload_object.log`.
+
+#### metrics
+
+CloudWatch metrics from `AWS/Bedrock-AgentCore` on a configurable period (default 5m). Covers runtime, gateway, memory, identity, browser tool, and code interpreter counters and latency averages. **No per-event action** — CloudWatch `Operation` dimension (when present) labels the metric slice. No actor; Layer 2 context is **CloudWatch dimension labels** and aggregate **target-type** breakdowns (Lambda vs MCP). Identity and inbound-authorization metrics support security monitoring but are not per-event audit records.
+
+## Example Event Graph
+
+The examples below come from the three **application log** streams (`runtime_application_logs`, `memory_application_logs`, `gateway_application_logs`). These are OpenTelemetry-style AgentCore application logs—audit-adjacent operational telemetry with prompts, memory content, and tool invocations—not AWS CloudTrail administrative audit records. The **`metrics`** stream is omitted: it contains time-bucketed CloudWatch aggregates only, with no per-event Actor → action → Target chain.
+
+### Example 1: Agent runtime invocation
+
+**Stream:** `aws_bedrock_agentcore.runtime_application_logs` · **Fixture:** `packages/aws_bedrock_agentcore/data_stream/runtime_application_logs/sample_event.json`
+
+```
+Application actor (DEFAULT) → InvokeAgentRuntime → Agent runtime endpoint (customersupport.DEFAULT)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | DEFAULT |
+| type | user |
+
+**Field sources:**
+- `id` ← `aws.bedrock_agentcore.request_payload.actor_id` — application-scoped customer/session partition, not an IAM principal
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | InvokeAgentRuntime |
+| source_field | `aws.bedrock_agentcore.operation` |
+| source_value | InvokeAgentRuntime |
+
+**Not mapped to ECS `event.action` today** — pipeline sets static `operation_name: invoke_agent` separately.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | arn:aws:bedrock-agentcore:us-east-1:627286350133:runtime/customersupport-3OutfrDDJ3 |
+| name | customersupport.DEFAULT |
+| type | service |
+| sub_type | runtime_endpoint |
+
+**Field sources:**
+- `id` ← `aws.bedrock_agentcore.resource_arn`
+- `name` ← `service.name` (dissected into `agent_name` + `endpoint_name`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: DEFAULT"] --> E["InvokeAgentRuntime"]
+  E --> T["Target: customersupport.DEFAULT"]
+```
+
+### Example 2: Memory conversation history access
+
+**Stream:** `aws_bedrock_agentcore.memory_application_logs` · **Fixture:** `packages/aws_bedrock_agentcore/data_stream/memory_application_logs/_dev/test/pipeline/test-aws-bedrock-agentcore-memory.log-expected.json`
+
+```
+Application actor (PREMIUM) → invoke_memory → Memory resource (salesassistant, conversation_history)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | PREMIUM |
+| type | user |
+
+**Field sources:**
+- `id` ← `aws.bedrock_agentcore.memory.actor_id` — also mirrored in `namespace` (`sales/customer/PREMIUM/history`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | invoke_memory |
+| source_field | `aws.bedrock_agentcore.memory.operation_name` |
+| source_value | invoke_memory |
+
+**Not mapped to ECS `event.action` today.**
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | arn:aws:bedrock-agentcore:eu-west-1:912345678012:memory/salesassistant-8k2pq9RtyH |
+| name | salesassistant-8k2pq9RtyH |
+| type | service |
+| sub_type | memory_strategy |
+
+**Field sources:**
+- `id` ← `aws.bedrock_agentcore.memory.resource_arn`
+- `name` ← `service.name`
+- `sub_type` ← `aws.bedrock_agentcore.memory.memory_strategy` (`conversation_history`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: PREMIUM"] --> E["invoke_memory"]
+  E --> T["Target: salesassistant-8k2pq9RtyH"]
+```
+
+### Example 3: Gateway tool invocation
+
+**Stream:** `aws_bedrock_agentcore.gateway_application_logs` · **Fixture:** `packages/aws_bedrock_agentcore/data_stream/gateway_application_logs/_dev/test/pipeline/test-aws-bedrock-agentcore-gateway.log-expected.json`
+
+```
+AgentCore Gateway (ordermanager-gw-abc12def34) → DocumentRetrieval___fetch_order_details → external tool target (XYZPROD001)
+```
+
+Gateway events carry no end-user `actor_id`; the gateway service routes the tool call on behalf of an upstream agent (correlate via `trace.id` to runtime logs).
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | arn:aws:bedrock-agentcore:us-west-2:845123678901:gateway/ordermanager-gw-abc12def34 |
+| name | ordermanager-gw-abc12def34 |
+| type | service |
+| sub_type | agentcore_gateway |
+
+**Field sources:**
+- `id` ← `aws.bedrock_agentcore.gateway.resource_arn`
+- `name` ← `service.name` (gateway resource from OTel attributes)
+- `trace.id` = `8e45f912abcd3456ef7890123456abcd` links this call to a runtime invocation — correlation context, not the actor
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | DocumentRetrieval___fetch_order_details |
+| source_field | `event.action` |
+| source_value | DocumentRetrieval___fetch_order_details |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | XYZPROD001 |
+| type | general |
+| sub_type | tool_target |
+
+**Field sources:**
+- `id` ← `aws.bedrock_agentcore.gateway.target` — downstream system the tool routes to (from grok on `payload_object.log`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: ordermanager-gw-abc12def34"] --> E["DocumentRetrieval___fetch_order_details"]
+  E --> T["Target: XYZPROD001"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, four `data_stream/` directories with Tier A `sample_event.json` and `*-expected.json` fixtures). Router: **`data_stream.dataset`** (`aws_bedrock_agentcore.{stream}` per `manifest.yml` and fixtures). Pass 4 is **fill-gaps-only**: detection flags run first; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, fallback, null)` — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so partial future enrichment on one column does not block vendor fallbacks on empty siblings (Pass 4 §10). Three application log streams support **partial** extraction (vendor `actor_id` → `user.id`, not IAM); **`gateway_application_logs`** uses **service** actor (gateway resource) with **general** external tool target (Pass 3). **`metrics`** excluded — no per-event graph.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `aws_bedrock_agentcore.runtime_application_logs` | agent runtime invocation | user | service | partial |
+| `aws_bedrock_agentcore.memory_application_logs` | memory read/write | user | service | partial |
+| `aws_bedrock_agentcore.gateway_application_logs` | gateway tool routing | service | general (tool_target) | partial |
+| `aws_bedrock_agentcore.metrics` | CloudWatch metrics | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `aws.bedrock_agentcore.request_payload.actor_id` | `data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.request_payload.actor_id IS NOT NULL` | high | **vendor fallback** — application partition (`DEFAULT`); not IAM |
+| `user.id` | `aws.bedrock_agentcore.memory.actor_id` | `data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.actor_id IS NOT NULL` | high | **vendor fallback** — e.g. `PREMIUM` |
+| `service.id` | `aws.bedrock_agentcore.gateway.resource_arn` | `data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.resource_arn IS NOT NULL` | high | **vendor fallback** — gateway ARN; ingest sets `service.name` but not `service.id` |
+| `service.name` | `service.name` | `data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs"` | high | **ingest-only — no ES|QL** — indexed on gateway fixtures; no alternate query-time source (Pass 4 §10) |
+| `entity.type` | `"user"` / `"service"` | per dataset (see classification helpers) | medium | **semantic literal** — Pass 3 actor classification |
+| `entity.sub_type` | `"agentcore_gateway"` | `data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs"` | medium | **semantic literal** — gateway service actor |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.id` | `aws.bedrock_agentcore.resource_arn` | `data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.resource_arn IS NOT NULL` | high | **vendor fallback** — runtime endpoint ARN (Pass 3 Example 1) |
+| `service.target.name` | `service.name` | `data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND service.name IS NOT NULL` | high | **vendor fallback** — e.g. `customersupport.DEFAULT` |
+| `service.target.id` | `aws.bedrock_agentcore.memory.resource_arn` | `data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.resource_arn IS NOT NULL` | high | **vendor fallback** |
+| `service.target.name` | `service.name` | `data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND service.name IS NOT NULL` | high | **vendor fallback** — e.g. `salesassistant-8k2pq9RtyH` |
+| `entity.target.id` | `aws.bedrock_agentcore.gateway.target` | `data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL` | high | **vendor fallback** — downstream tool target (Pass 3 Example 3) |
+| `entity.target.type` | `"general"` | gateway + `gateway.target IS NOT NULL` | medium | **semantic literal** |
+| `entity.target.sub_type` | `"tool_target"` | gateway + `gateway.target IS NOT NULL` | medium | **semantic literal** |
+| `entity.target.sub_type` | `aws.bedrock_agentcore.memory.memory_strategy` | `data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.memory_strategy IS NOT NULL` | high | **vendor fallback** — e.g. `conversation_history` |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs"` | high | **preserve existing** — tool name from ingest grok |
+| `event.action` | `aws.bedrock_agentcore.operation` | `data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.operation IS NOT NULL` | high | **vendor fallback** — `InvokeAgentRuntime`; prefer over static `operation_name` |
+| `event.action` | `aws.bedrock_agentcore.memory.operation_name` | `data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.operation_name IS NOT NULL` | high | **vendor fallback** — `invoke_memory` |
+
+`actor_exists` omits bare `service.name` because gateway fixtures index `service.name` without `service.id`; treating name-only as complete would block ARN → `service.id` fallback. Actor/target/action `EVAL` blocks use **column-level** `IS NOT NULL` preserve — not `CASE(actor_exists, user.id, …)` / `CASE(target_exists, service.target.id, …)` — so e.g. `entity.target.id` on gateway does not block `service.target.name` ← `service.name` on runtime/memory (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.id IS NOT NULL, user.id, aws.bedrock_agentcore.memory.actor_id, null)` (4 args — vendor field is a **condition**, not a value). Wrong: `CASE(actor_exists, user.id, aws.bedrock_agentcore.memory.actor_id, null)` (same). Right: **5-arg** `CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.actor_id IS NOT NULL, aws.bedrock_agentcore.memory.actor_id, null)`. **7-arg** when multiple dataset fallbacks apply (e.g. `user.id` runtime + memory). Do not use `CASE(action_exists, event.action, …)` — use `event.action IS NOT NULL` as the preserve branch.
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers (when needed)
+
+Actor and target type labels in **fallback** only (not indexed at ingest today):
+
+```esql
+| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"), "user",
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs", "service",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs", "agentcore_gateway",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, "general",
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, "tool_target",
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs", "runtime_endpoint",
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.memory_strategy IS NOT NULL, aws.bedrock_agentcore.memory.memory_strategy,
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+Omitted from actor `EVAL` (ingest-only — no alternate query-time source): `service.name` on **`gateway_application_logs`** (indexed from OTel attributes; `CASE(…, service.name, …, service.name, null)` is identity no-op per Pass 4 §10).
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.request_payload.actor_id IS NOT NULL, aws.bedrock_agentcore.request_payload.actor_id,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.actor_id IS NOT NULL, aws.bedrock_agentcore.memory.actor_id,
+    null
+  ),
+  service.id = CASE(
+    service.id IS NOT NULL, service.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.resource_arn IS NOT NULL, aws.bedrock_agentcore.gateway.resource_arn,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.operation IS NOT NULL, aws.bedrock_agentcore.operation,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.operation_name IS NOT NULL, aws.bedrock_agentcore.memory.operation_name,
+    null
+  )
+```
+
+Gateway stream: ingest grok populates `event.action` when the log matches the tool pattern; column-level preserve keeps the tool name. Runtime/memory: fallback to vendor operation fields (Pass 2 enhancement candidates).
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.resource_arn IS NOT NULL, aws.bedrock_agentcore.resource_arn,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.resource_arn IS NOT NULL, aws.bedrock_agentcore.memory.resource_arn,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND service.name IS NOT NULL, service.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, aws.bedrock_agentcore.gateway.target,
+    null
+  )
+```
+
+Do not map `cloud.service.name` (`bedrock-agentcore`) to `service.target.name` — Layer 1 platform context, not the invoked resource (Pass 2/3).
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.request_payload.actor_id IS NOT NULL, aws.bedrock_agentcore.request_payload.actor_id,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.operation IS NOT NULL, aws.bedrock_agentcore.operation,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.resource_arn IS NOT NULL, aws.bedrock_agentcore.resource_arn,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND service.name IS NOT NULL, service.name,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, service.target.id, service.target.name, trace.id
+```
+
+### Streams excluded
+
+- **`aws_bedrock_agentcore.metrics`** — CloudWatch time-bucketed aggregates (`event.kind: metric`); dimensions (`Operation`, `AgentId`, `SessionId`, `TargetType_*`) are metric slices, not per-event actor/target/action.
+
+### Gaps and limitations
+
+- **`user.id` is application-scoped** — `DEFAULT`/`PREMIUM` are customer partitions, not Entra/IAM/Cognito principals; do not treat as security principal IDs.
+- **No IAM caller identity** — unlike `aws_bedrock.invocation` (`identity.arn`); do not infer AWS principal from `cloud.account.id`.
+- **Gateway grok coverage** — `aws.bedrock_agentcore.gateway.target` and `event.action` populate only when `payload_object.log` matches `Processing request for tool {name} from target {id}`; alternate patterns (e.g. `Executing tool … from target …` in `sample_event.json`) leave target/action empty at ingest and in ES|QL fallback.
+- **`aws.bedrock_agentcore.operation_name`** — static GenAI labels (`invoke_agent`, `invoke_memory`, `invoke_gateway`) omitted from `event.action` fallback in favor of vendor `operation` / memory `operation_name` / gateway tool `event.action`.
+- **`user.name` / `user.email` / `host.*`** — no indexed sources; `actor_id` is not UUID-like but stored as `user.id` only.
+- **`service.target.name` on gateway** — Pass 3 target is external tool ID (`entity.target.id`), not gateway resource name; gateway ARN remains actor `service.id`.
+- **Session correlation** — `session_id` / `conversation_id` / `trace.id` not promoted to ECS session fields; out of mandatory column set.
+- **Pass 2 enhancement alignment** — ingest-time `user.id` ← `actor_id`, `*.target.*` ← ARNs, and runtime/memory `event.action` remain preferred; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 CASE syntax** — all `CASE` use odd-arity defaults (`null`) or valid **3-arg** / **5-arg** / **7-arg** column-level preserve (`<col> IS NOT NULL` first branch); never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_vendor_field, null)` or `CASE(actor_exists|target_exists|action_exists, <col>, …)`. Vendor fallbacks include `IS NOT NULL` on source fields. Detection flags are helpers only — not first `CASE` branches on mapped columns. Full pipeline fragment aligned with combined `EVAL` blocks.
+- **Unscoped `FROM logs-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset == …`), not a top-level `WHERE`.
+- **Pass 4 tautology cleanup (§10)** — `service.name` omitted from actor `EVAL` (ingest-only; no `CASE(col, col, …)`); `service.target.name` fallback promotes `service.name` (different field), not `service.target.name` again.
diff --git a/dev/domain/p1/aws_cloudtrail_otel.md b/dev/domain/p1/aws_cloudtrail_otel.md
new file mode 100644
index 00000000000..3a7c90c6192
--- /dev/null
+++ b/dev/domain/p1/aws_cloudtrail_otel.md
@@ -0,0 +1,540 @@
+# aws_cloudtrail_otel
+
+## Product Domain (AWS CloudTrail via OTel)
+
+AWS CloudTrail is a governance, compliance, and security auditing service that records API activity and account events across an AWS organization. It captures who invoked an API, which service and operation were called, when and from where the request originated, whether it succeeded or failed, and which resources were affected. CloudTrail is the primary audit trail for IAM changes, resource provisioning, data-plane access in supported services, and cross-account activity—supporting security investigations, compliance reporting, and operational troubleshooting.
+
+The Elastic **AWS CloudTrail Logs OpenTelemetry Assets** package is a content integration that ships Kibana dashboards for telemetry ingested via OpenTelemetry—not an Elastic Agent log shipper. Collection is typically configured with the EDOT Cloud Forwarder (ECF) for AWS or a standalone OpenTelemetry Collector using the `awss3receiver`, `awslogsencodingextension` (CloudTrail JSON format), and `elasticsearchexporter`. CloudTrail log files land in S3 (often under `AWSLogs/<account-id>/`) and are polled via SQS notifications; the OTel pipeline parses records into ECS-aligned documents indexed under the `aws.cloudtrail.otel` dataset.
+
+This package complements the classic Elastic Agent **AWS** integration (`aws.cloudtrail` data stream) by targeting the OTel ingestion path. It provides a CloudTrail Logs Overview dashboard for monitoring API call volume, success vs. failure outcomes, top services and operations, access-key activity, client user agents, and error-code breakdowns across AWS accounts.
+
+## Data Collected (brief)
+
+Logs only (no metrics). The package expects data already ingested with `data_stream.dataset: aws.cloudtrail.otel` via OpenTelemetry; it does not define its own Elastic Agent data streams or ingest pipelines.
+
+Each document represents one CloudTrail management or data event. Key fields surfaced in dashboards and typical OTel mappings include:
+
+| Field area | Examples |
+|---|---|
+| **RPC / API context** | `rpc.system`, `rpc.service`, `rpc.method` (AWS service and operation) |
+| **AWS identity & errors** | `aws.access_key.id`, `aws.error.code` |
+| **Network & client** | `source.address`, `user_agent.original` |
+| **Outcome** | Derived from presence of `aws.error.code` (success vs. failure) |
+
+Standard CloudTrail attributes (event ID, event type and category, user identity ARN and type, session issuer, request/response parameters, resource ARNs, read-only flag, management vs. data event classification, etc.) may also be present depending on trail configuration and OTel encoding settings. Collection requires AWS CloudTrail enabled with S3 delivery, SQS queue notifications on the log bucket, and an OTel pipeline (ECF for AWS or collector with `awslogs_encoding/cloudtrail`).
+
+## Expected Audit Log Entities
+
+Evidence is from `packages/aws_cloudtrail_otel/docs/README.md`, the bundled **CloudTrail Logs Overview** dashboard (`packages/aws_cloudtrail_otel/kibana/dashboard/aws_cloudtrail_otel-9bfbe31c-e775-4ee4-9e34-a449e603d109.json`), and the OpenTelemetry `awslogsencodingextension` CloudTrail field mapping ([OTel Collector Contrib README](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/encoding/awslogsencodingextension#cloudtrail-record-fields), tested at v0.138.0 per package README). This integration is **dashboards-only**—it expects data already ingested with `data_stream.dataset: aws.cloudtrail.otel` via ECF for AWS or a standalone OTel collector; there are no Elastic Agent data streams, ingest pipelines, or package test fixtures. Actor and target semantics follow native CloudTrail `userIdentity` and `resources` JSON, mapped to ECS-aligned OTel attributes at **collection time** (not post-ingest Elastic pipelines). Records are true **AWS API audit logs** (management and data events) plus separate **CloudTrail digest** integrity records. ECS `*.target.*` fields are **not populated** (`dev/target-fields-audit/out/target_enhancement_packages.csv` classifies `aws_cloudtrail_otel` as **none** for all target-entity fields; no row in `target_fields_audit.csv`). `destination.user.*` / `destination.host.*` are **not used** (absent from `destination_identity_hits.csv`). The classic Elastic Agent **`aws.cloudtrail`** data stream adds post-ingest entity enrichment (`user.entity.id`, `user.target.entity.id`, `service.target.entity.id`, `related.entity`, etc.) and sets **`event.action`** from `eventName`; the OTel path does **neither**. **`event.action` is absent** on the OTel path — CloudTrail `eventName` maps to **`rpc.method`** instead; the bundled dashboard groups operations by `rpc.method`, not `event.action`.
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `AttachUserPolicy` | administration | high | Classic `aws.cloudtrail` fixture (`test-attach-user-policy-json.log-expected.json`); OTel README: `eventName` → `rpc.method` | **`aws.cloudtrail.otel`** — IAM policy attachment; representative mutating management API |
+| `GetCallerIdentity` | authentication | high | Classic fixture (`test-get-caller-identity-json.log-expected.json`); dashboard "Top Services and Operations" ES\|QL groups by `rpc.method` | **`aws.cloudtrail.otel`** — STS identity lookup; read-only |
+| `CreateDBInstance` | configuration_change | high | Classic fixture (`test-create-db-instance-json.log-expected.json`) | **`aws.cloudtrail.otel`** — RDS provisioning |
+| `PutObject` / `GetObject` | data_access | high | Classic S3 fixtures in `packages/aws/data_stream/cloudtrail/_dev/test/pipeline/` | **`aws.cloudtrail.otel`** — S3 data-plane access when data events enabled |
+| `UserAuthentication` | authentication | high | Classic fixture (`test-user-authentication.log`); `eventType: AwsServiceEvent` | **`aws.cloudtrail.otel`** — Identity Center / sign-in service event, not a direct API call |
+| `ConsoleLogin` | authentication | high | Classic pipeline handles `event.action == 'ConsoleLogin'` (`default.yml` L1847–1851) | **`aws.cloudtrail.otel`** — AWS Management Console sign-in |
+| `DeleteRule` | configuration_change | high | Classic fixture (`test-delete-rule-json.log`) | **`aws.cloudtrail.otel`** — EventBridge rule deletion |
+| *(no per-event action)* | — | high | OTel README digest mapping — `aws.cloudtrail.digest.*` metadata only | **Digest records** — log-file integrity verification; no `userIdentity` or `eventName` |
+
+CloudTrail **`eventName`** is the canonical per-event action (e.g. `AttachUserPolicy`, `GetCallerIdentity`, `PutObject`). On the OTel path it appears as **`rpc.method`**, not ECS **`event.action`**. Do not substitute **`rpc.system`** (`AwsApiCall`, `AwsServiceEvent`) or **`aws.event.category`** (`Management`, `Data`) for the operation verb — they classify record type and audit category, not the specific API call.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| CloudTrail `eventName` → `rpc.method` | no (maps to `rpc.method`) | partial | `AttachUserPolicy`, `GetCallerIdentity`, `CreateDBInstance`, `PutObject`, `UserAuthentication` | yes | OTel README L486: `eventName` → `rpc.method`; classic `aws.cloudtrail` pipeline L1105–1108 sets `event.action` from same source — OTel uses RPC namespace instead of ECS |
+| `rpc.method` | no | yes (as action surrogate) | Same `eventName` values as above | yes | Dashboard "Top Services and Operations" ES\|QL groups by `rpc.method`; de-facto action field on OTel path |
+| `event.action` | no | n/a | — | yes | Not in OTel CloudTrail mapping table; absent from dashboard field list |
+| `rpc.system` ← `eventType` | no | n/a | `AwsApiCall`, `AwsServiceEvent` | no | OTel README L488; record-type taxonomy, not operation name; dashboard "Event Types" panel |
+| `aws.event.category` ← `eventCategory` | no | n/a | `Management`, `Data` | no | OTel README L471; audit stream category, not per-call verb |
+| `aws.event.read_only` / `aws.event.management` | no | n/a | boolean facets | no | OTel README L473–475; mutability/management flags, not action labels |
+| `rpc.service` ← `eventSource` | no | n/a | `iam.amazonaws.com`, `s3.amazonaws.com` | no | OTel README L487; invoked **service** (Layer 1 target), not the operation |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `aws.cloudtrail.otel` (event records) | no | no (OTel at collection) | CloudTrail `eventName` → `rpc.method` (should also → `event.action`) | high | OTel README CloudTrail table; no package fixtures; classic `aws.cloudtrail` proves `eventName` semantics; dashboard ES\|QL uses `rpc.method` |
+| Digest records | no | no | — (no per-event action) | high | OTel README digest table — `aws.cloudtrail.digest.*` only; integrity metadata |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| IAM user / root / Identity Center user | user | — | high | `user.name` ← `userIdentity.userName`; `user.id` ← `userIdentity.userId`; `aws.principal.arn`, `aws.principal.type` (`IAMUser`, `IdentityCenterUser`, `Root`); `aws.identity_store.arn` for Identity Center | **`aws.cloudtrail.otel`** — API caller principal |
+| Assumed role / federated session | user | assumed_role | high | `aws.principal.arn` (e.g. `arn:aws:sts::…:assumed-role/…`); `aws.principal.type` (`AssumedRole`, `FederatedUser`); session issuer under `aws.user_identity.session_context.issuer.*` | **`aws.cloudtrail.otel`** — role name and session embedded in ARN |
+| Session issuer (underlying role/user) | user | — | high | `aws.user_identity.session_context.issuer.arn`, `.user_name`, `.type`, `.account_id` when temporary credentials used | **`aws.cloudtrail.otel`** — who issued the session, distinct from assumed-role session name |
+| Access key credential | general | aws_access_key | high | `aws.access_key.id` ← `userIdentity.accessKeyId`; dashboard "Access Key Activity" ES\|QL groups by this field | **`aws.cloudtrail.otel`** — credential facet, not a human principal |
+| AWS service principal | service | — | high | `aws.principal.type == AWSService`; `aws.user_identity.invoked_by` (e.g. `lambda.amazonaws.com`, `ec2.amazonaws.com`) | **`aws.cloudtrail.otel`** — service-to-service API calls |
+| API client (network origin) | host | — | high | `source.address` ← `sourceIPAddress`; overview datatable column alongside access key and RPC fields | **`aws.cloudtrail.otel`** — client IP/endpoint, not a security principal |
+| Client software | general | user_agent | moderate | `user_agent.original` ← `userAgent`; dashboard "Client User Agents" ES\|QL normalizes and ranks agents | **`aws.cloudtrail.otel`** — application context (CLI, console, SDK) |
+| Cross-account / delegated actor | user | — | medium | `aws.user_identity.session_context.issuer.arn`, `aws.principal.id` during role chaining; `aws.identity_store.arn` for Identity Center on-behalf-of flows | **`aws.cloudtrail.otel`** — schema-supported; not exercised in dashboard ES\|QL |
+
+**Not actors:** `cloud.account.id` ← `recipientAccountId` is the account where the event was recorded (tenancy scope). `aws.user_identity.account_id` is the calling principal's home account (scope context). Digest records under `aws.cloudtrail.digest.*` describe log-file integrity, not an API caller.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Principal user ID | yes (OTel) | yes | high | OTel README: `userIdentity.userId` → `user.id` |
+| `user.name` | IAM / Identity Center username | yes (OTel) | yes | high | OTel README: `userIdentity.userName` → `user.name` |
+| `aws.principal.arn` | Canonical principal ARN | yes (OTel) | yes | high | OTel README: `userIdentity.arn` → `aws.principal.arn`; primary actor identifier for IAM/STS |
+| `aws.principal.type` | Principal class | yes (OTel) | yes | high | OTel README: `userIdentity.type` → `aws.principal.type` |
+| `aws.principal.id` | Principal ID | yes (OTel) | yes | high | OTel README: `userIdentity.principalId` → `aws.principal.id` |
+| `aws.access_key.id` | Access key used | yes (OTel) | yes | high | OTel README + dashboard ES\|QL "Access Key Activity" |
+| `aws.user_identity.session_context.issuer.*` | Session issuer identity | yes (OTel) | yes | high | OTel README maps issuer type, ARN, account, userName, principalId |
+| `aws.user_identity.invoked_by` | AWS service caller name | yes (OTel) | yes | high | OTel README: `userIdentity.invokedBy`; service-principal actor facet |
+| `aws.identity_store.arn` | Identity Center store | yes (OTel) | yes | moderate | OTel README: `userIdentity.identityStoreArn` |
+| `aws.user_identity.account_id` | Caller home account | yes (OTel) | yes | high | OTel README; scope context, not the interactive actor |
+| `source.address` | Client IP / endpoint | yes (OTel) | yes | high | OTel README: `sourceIPAddress` → `source.address`; dashboard datatable |
+| `user_agent.original` | Client application | yes (OTel) | yes | moderate | OTel README + dashboard "Client User Agents" ES\|QL |
+| `client.user.*` / `user.entity.id` / `service.entity.id` / `host.entity.id` | Security Solution entity enrichment | no | n/a | — | Classic `aws.cloudtrail` pipeline only; absent on OTel path |
+| `destination.user.*` / `destination.host.*` | De-facto target identity | no | n/a | — | Not used (`destination_identity_hits.csv` has no row) |
+
+**Mapping note:** "Mapped today?" reflects OTel `awslogsencodingextension` output at collection time. No Elastic ingest pipeline exists in this package to verify or override mappings.
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | AWS API endpoint invoked | S3, EC2, IAM, Lambda, … | service | — | high | `rpc.service` ← `eventSource` (e.g. `s3.amazonaws.com`); dashboard "Top Services and Operations" ES\|QL | **`aws.cloudtrail.otel`** — invoked AWS service; no `cloud.service.name` set by OTel |
+| 2 — Resource / object | Resource acted upon in the API call | S3 bucket, EC2 instance, IAM role, … | general | aws_resource | high | `aws.resources[]` (ARN, type, accountId per element); `aws.request.parameters` / `aws.response.elements` carry resource names and IDs per `rpc.method` | **`aws.cloudtrail.otel`** — primary audit target for mutating and data-access events |
+| 3 — Content / artifact | Single API request instance | CloudTrail request / event ID | general | api_request | high | `aws.request_id` ← `requestID`; `aws.cloudtrail.event_id` ← `eventID` | **`aws.cloudtrail.otel`** — correlatable per-call identifier |
+| 3 — Content / artifact | Request / response payload | Parameters and created resource details | general | request_payload / response_payload | moderate | `aws.request.parameters`, `aws.response.elements` (nested maps); resource identity varies by operation | **`aws.cloudtrail.otel`** — may embed target resource names not in `aws.resources` |
+| 3 — Content / artifact | Event classification | Management vs data, read-only | general | api_event_class | moderate | `rpc.system` ← `eventType` (`AwsApiCall`, `AwsServiceEvent`); `aws.event.read_only`, `aws.event.management`; dashboard "Event Types" panel | **`aws.cloudtrail.otel`** — record class, not a standalone resource |
+| 3 — Content / artifact | Digest log integrity record | S3 digest file metadata | general | cloudtrail_digest | low | `aws.cloudtrail.digest.*` (S3 bucket/object, time bounds, log file hashes) | Digest record type only — integrity verification, not an API actor/target pair |
+
+**Not targets:** `aws.error.code` / `aws.error.message` are outcome metadata (dashboard derives success vs failure). `cloud.region` and `cloud.account.id` are regional and tenancy scope. `server.address` from TLS client host header is low-confidence DNS context only.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `rpc.service` | 1 | service | yes (OTel) | yes | `cloud.service.name` / `service.target.name` | yes | OTel README: `eventSource` → `rpc.service`; dashboard ES\|QL; not copied to `cloud.service.name` |
+| `rpc.method` | — | — | yes (OTel) | yes (as action) | context-only | yes | OTel README: `eventName` → `rpc.method`; **event action**, not target — should also populate `event.action` (classic `aws.cloudtrail` L1105–1108) |
+| `rpc.system` | 3 | general (api_event_class) | yes (OTel) | yes | context-only | no | OTel README: `eventType` → `rpc.system`; dashboard "Event Types" |
+| `aws.resources[]` | 2 | general (aws_resource) | yes (OTel) | yes | `service.target.entity.id` / `entity.target.id` | yes | OTel README: CloudTrail `resources[]` array with ARN/type/accountId; canonical Layer 2 target |
+| `aws.request.parameters` | 2–3 | general (request_payload) | yes (OTel) | partial | `service.target.entity.id` | yes | OTel README; nested map — resource identity operation-dependent |
+| `aws.response.elements` | 2–3 | general (response_payload) | yes (OTel) | partial | `service.target.entity.id` | yes | OTel README; often carries created resource ARNs on mutating calls |
+| `aws.request_id` | 3 | general (api_request) | yes (OTel) | yes | context-only | no | OTel README: `requestID` → `aws.request_id` |
+| `aws.cloudtrail.event_id` | 3 | general (api_request) | yes (OTel) | yes | context-only | no | OTel README: `eventID` → `aws.cloudtrail.event_id` |
+| `cloud.region` | — | general (aws_region) | yes (OTel) | yes | context-only | no | OTel README: `awsRegion` → `cloud.region` |
+| `cloud.account.id` | — | general (aws_account) | yes (OTel) | yes | context-only | no | OTel README: `recipientAccountId` → `cloud.account.id`; event recipient account |
+| `cloud.service.name` | 1 | service | no | n/a | `service.target.name` | yes | Not set by OTel CloudTrail mapping; Layer 1 gap vs classic integrations |
+| `server.address` | — | general (dns_host) | partial | partial | context-only | no | OTel README: `tlsDetails.clientProvidedHostHeader`; TLS context only |
+| `user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` | — | — | no | n/a | — | yes (downstream) | Not populated; classic `aws.cloudtrail` pipeline sets these via entity enrichment |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+
+### Gaps and mapping notes
+
+- **`event.action` gap (primary):** OTel maps CloudTrail `eventName` → `rpc.method` but does **not** set ECS `event.action`. Classic `aws.cloudtrail` sets `event.action: '{{{json.eventName}}}'` (`default.yml` L1105–1108). Enhancement: downstream ingest copy `rpc.method` → `event.action`, or extend OTel encoding to emit both fields.
+- **No Elastic ingest pipeline or fixtures:** Actor/target/action ECS quality depends entirely on OTel `awslogsencodingextension` defaults. Cannot verify `Mapping correct?` beyond OTel README semantics, classic `aws.cloudtrail` parity, and dashboard field usage.
+- **Dashboard field emphasis vs full schema:** Bundled ES\|QL uses `rpc.service`, `rpc.method`, `rpc.system`, `aws.access_key.id`, `aws.error.code`, `user_agent.original`, and `source.address` — not `event.action`, `user.name`, `aws.principal.arn`, or `aws.resources`. IAM and resource investigations require querying OTel-mapped fields directly or extending dashboards.
+- **Layer 1 gap:** `rpc.service` holds the invoked AWS API endpoint (e.g. `iam.amazonaws.com`) but OTel does not set `cloud.service.name`. Enhancement: derive short service name from `rpc.service` or add downstream ingest normalization.
+- **Layer 2 not in official target fields:** `aws.resources[]` semantically represents affected AWS resources but remains vendor/OTel namespace only. Classic `aws.cloudtrail` promotes resource ARNs to `service.target.entity.id` / `user.target.entity.id` via ingest pipeline entity enrichment — absent on OTel path.
+- **No Security Solution entity enrichment:** Classic pipeline sets `user.entity.id`, `service.entity.id`, `user.target.entity.id`, `related.entity`, etc. (`packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml`). OTel path has no equivalent; `target_enhancement_packages.csv` = **none** for all buckets.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, CloudTrail does not map affected users/hosts to `destination.user.*` or `destination.host.*`.
+- **Optional `aws.user_identity` prefix:** OTel feature gate `extension.awslogsencoding.cloudtrail.enable.user.identity.prefix` moves `aws.principal.*` and `aws.access_key.id` under `aws.user_identity.*` — field paths differ but semantics unchanged.
+- **Digest records:** Separate record type with `aws.cloudtrail.digest.*` metadata; no `userIdentity`, `eventName`, or per-event action. Treat as integrity telemetry, not API audit events.
+- **Correlate with classic integration:** For `event.action`, entity visualization, and typed target buckets, use classic **`aws.cloudtrail`** post-ingest enrichment or add downstream ingest processors on `aws.cloudtrail.otel` indices.
+
+### Per-stream notes
+
+#### aws.cloudtrail.otel
+
+Single dataset for CloudTrail management and data events ingested via ECF for AWS or standalone OTel collector (`awss3receiver` + `awslogsencodingextension` format `cloudtrail`). OTel maps `userIdentity` → `user.*` / `aws.principal.*` / `aws.access_key.id`, `eventName` → **`rpc.method`** (not `event.action`), and `resources[]` → `aws.resources`. **`event.action` is absent** — query `rpc.method` for operation names (e.g. `AttachUserPolicy`, `GetCallerIdentity`); dashboard "Top Services and Operations" already groups by `rpc.service` + `rpc.method`. Actor is best interpreted as **user** (IAM, assumed role, federated) or **service** (AWS service principal); supplementary **host** (client IP) and **general** facets (access key, user agent). Target is Layer 1 **invoked AWS API** (`rpc.service`), Layer 2 **affected resource** (`aws.resources`, request/response maps), and Layer 3 **request instance** (`aws.request_id`, `aws.cloudtrail.event_id`).
+
+#### Digest records
+
+CloudTrail log-file validation digests mapped to `aws.cloudtrail.digest.*` (S3 bucket/object, time bounds, log file hashes). No `eventName`, **`event.action`**, or `userIdentity` — integrity verification only; actor/target audit semantics do not apply.
+
+## Example Event Graph (illustrative — no package fixtures)
+
+**Package type: assets-with-sibling** — `packages/aws_cloudtrail_otel/` ships Kibana dashboards only (no `data_stream/`, no `sample_event.json`, no ingest pipelines). CloudTrail records are ingested **outside** this package via ECF for AWS or a standalone OpenTelemetry Collector (`awslogsencodingextension`, `format: cloudtrail`); bundled dashboards query customer indices filtered to **`aws.cloudtrail.otel`** (dashboard control literal — Tier B).
+
+Patterns below are **field/schema illustrations** from dashboard ES|QL (Tier B) or **sibling stand-in** field layouts from `packages/aws/data_stream/cloudtrail/` (OTel README maps the same CloudTrail JSON at collection time). They are **not** single indexed documents. Do **not** treat dashboard JSON as fixtures.
+
+**Common-sense check (read aloud):** IAM admin attaches policy to a **different** user; STS identity lookup targets the **STS API service**, not the caller's home account; S3 upload targets the **object resource**, not the uploader.
+
+Digest records (`aws.cloudtrail.digest.*`) have no per-event actor/action/target chain — omitted.
+
+### Pattern 1: Dashboard — API volume by service and operation
+
+**Log type:** `aws.cloudtrail.otel` (index `logs*`, dashboard filter) · **Evidence:** `packages/aws_cloudtrail_otel/kibana/dashboard/aws_cloudtrail_otel-9bfbe31c-e775-4ee4-9e34-a449e603d109.json` (Tier B)
+
+```
+Principal (aws.access_key.id) → API call (rpc.method grouped with rpc.service) → invoked AWS API (rpc.service)
+```
+
+Example one-liner (field paths only):
+
+```
+principal (aws.access_key.id) → API operation (rpc.method) → invoked AWS API (rpc.service)
+```
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | user — from `aws.access_key.id` (Access Key Activity panel ES\|QL) |
+| type | host — supplementary from `source.address` (overview datatable column alongside RPC fields) |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | derived label from `rpc.method` (CloudTrail `eventName` on OTel path) |
+| source_field | `rpc.method` |
+| source_value | — (no operation literals in dashboard JSON; aggregate only) |
+
+**Not mapped to ECS `event.action` today** — OTel maps `eventName` → `rpc.method` only.
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | service — Layer 1 invoked API from `rpc.service` (Top Services and Operations ES\|QL: `STATS … BY rpc.service, rpc.method`) |
+
+### Pattern 2: Dashboard — success vs failure outcome
+
+**Log type:** `aws.cloudtrail.otel` · **Evidence:** same dashboard JSON (Tier B)
+
+```
+API caller context (implicit) → outcome (aws.error.code present or absent) → API error taxonomy (aws.error.code)
+```
+
+Example one-liner:
+
+```
+principal (not named in panel ES\|QL) → Fail/Success (CASE on aws.error.code) → error code (aws.error.code)
+```
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| — | Dashboard outcome panel does not group by `aws.principal.*` or `user.name` |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | `Fail` or `Success` |
+| source_field | `aws.error.code` |
+| source_value | `Fail` / `Success` (dashboard `EVAL` literals only — not CloudTrail `eventName`) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | general — outcome metadata; `aws.error.code` values ranked in Error Codes panel |
+
+### Pattern 3: Sibling stand-in — IAM policy attachment (OTel field layout)
+
+**Log type:** `aws.cloudtrail.otel` (expected after OTel encoding) · **Evidence:** `packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json` (**sibling stand-in** — classic Agent ingest shape; OTel maps `userIdentity` → `aws.principal.*` / `user.name`, `eventName` → `rpc.method`, `requestParameters.userName` → `aws.request.parameters.userName`)
+
+```
+Assumed role (aws.principal.arn, aws.principal.type) → AttachUserPolicy (rpc.method) → IAM user (aws.request.parameters.userName)
+```
+
+**Read-aloud:** assumed-role session attaches a policy to **another** IAM user — not a self-referential target.
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| id | `aws.principal.arn` |
+| name | `aws.user_identity.session_context.issuer.user_name` (session issuer role name when `aws.principal.type` = `AssumedRole`) |
+| type | user |
+| sub_type | assumed_role — from `aws.principal.type` |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | `AttachUserPolicy` |
+| source_field | `rpc.method` |
+| source_value | `AttachUserPolicy` (literal from sibling `event.original` / classic `event.action`; OTel uses `rpc.method`) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| id | `aws.request.parameters.userName` |
+| type | user |
+| sub_type | aws_iam_user |
+| type | service — Layer 1 `rpc.service` = `iam.amazonaws.com` (invoked API, parallel to user target) |
+
+### Pattern 4: Sibling stand-in — STS GetCallerIdentity (OTel field layout)
+
+**Log type:** `aws.cloudtrail.otel` · **Evidence:** `packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log-expected.json` (**sibling stand-in**)
+
+```
+IAM user (aws.principal.arn, user.name) → GetCallerIdentity (rpc.method) → STS API (rpc.service)
+```
+
+**Read-aloud:** user looks up caller identity against **STS** — not `cloud.account.id` / recipient account (tenancy scope only).
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| id | `aws.principal.arn` |
+| name | `user.name` |
+| type | user |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | `GetCallerIdentity` |
+| source_field | `rpc.method` |
+| source_value | `GetCallerIdentity` (sibling stand-in literal) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| id | `rpc.service` (e.g. `sts.amazonaws.com` from CloudTrail `eventSource`) |
+| type | service |
+| sub_type | aws_api |
+
+### Pattern 5: Sibling stand-in — S3 PutObject (OTel field layout)
+
+**Log type:** `aws.cloudtrail.otel` · **Evidence:** `packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log-expected.json` (**sibling stand-in**)
+
+```
+IAM user (aws.principal.arn, user.name) → PutObject (rpc.method) → S3 object (aws.resources[].arn)
+```
+
+**Read-aloud:** user uploads data to an **S3 object** — not to themselves or only the bucket account ID.
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| id | `aws.principal.arn` |
+| name | `user.name` |
+| type | user |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | `PutObject` |
+| source_field | `rpc.method` |
+| source_value | `PutObject` (sibling stand-in literal) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| id | `aws.resources[].arn` |
+| type | general |
+| sub_type | aws_resource |
+| type | service — Layer 1 `rpc.service` = `s3.amazonaws.com` |
+
+## ES|QL Entity Extraction
+
+**Package type: assets-with-sibling** — field paths inferred from bundled dashboard ES|QL (Tier B), OTel CloudTrail mapping semantics (OTel Collector Contrib README, v0.138.0 per package README), and **sibling evidence** from `packages/aws/data_stream/cloudtrail/` fixtures where README-compatible OTel field layout applies. This package defines **no** Elastic Agent data streams, ingest pipelines, or test fixtures in-repo.
+
+**Router:** `data_stream.dataset == "aws.cloudtrail.otel"` — from `manifest.yml` `discovery.datasets` and CloudTrail Logs Overview dashboard filter control, **not** from Agent `policy_templates` / `data_stream/` entries. **`event.action` is absent** on the OTel path; use **`rpc.method`** for operation routing and as the `event.action` fallback. Digest records (`aws.cloudtrail.digest.*`) excluded.
+
+**Array constraint:** `aws.resources` is a CloudTrail array of objects `[{arn, type, accountId}]`. ES|QL flattens this to a multi-value field `aws.resources.arn`. Array indexing (`aws.resources[0].arn`) is **invalid ES|QL syntax**. The sibling fixture `test-put-object-json.log-expected.json` confirms that a single S3 PutObject event produces **two** resource entries (`AWS::S3::Object` and `AWS::S3::Bucket`) with no guaranteed ordering — `MV_FIRST(aws.resources.arn)` is therefore ambiguous. `entity.target.id` from `aws.resources.arn` is **ingest-only** for S3 events.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `aws.cloudtrail.otel` | API audit (management/data) | user, host, service | user, service, general | partial (Tier B + sibling evidence) |
+| `aws.cloudtrail.digest.*` | log-file integrity | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `aws.principal.arn` | `data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type IN ("IAMUser", "AssumedRole", "FederatedUser", "Root", "IdentityCenterUser")` | medium | **vendor fallback** when ECS `user.id` empty; ARN is canonical principal identifier; sibling evidence |
+| `user.name` | `aws.user_identity.session_context.issuer.user_name` | `data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AssumedRole"` | low | **vendor fallback** — session issuer role name when `user.name` empty |
+| `host.ip` | `source.address` | `data_stream.dataset == "aws.cloudtrail.otel"` | medium | **vendor fallback** — OTel `sourceIPAddress` → `source.address`; dashboard datatable (Tier B) |
+| `service.name` | `aws.user_identity.invoked_by` | `data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AWSService"` | low | **vendor fallback** — service-principal caller name when `service.name` empty |
+
+**Detection predicate:** standard `actor_exists` (ECS user/host/service/entity columns only). `aws.principal.arn` is intentionally **not** in `actor_exists` so ARN can populate `user.id` when ECS user columns are empty.
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `rpc.service` | `data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "GetCallerIdentity"` | medium | **fallback** — STS API as Layer 1 target; sibling evidence Pattern 4 |
+| `service.target.name` | `rpc.service` | `data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IN ("PutObject", "GetObject")` | medium | **fallback** — S3 API as Layer 1 target |
+| `user.target.id` | `aws.request.parameters.userName` | `data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy"` | medium | **fallback** — sibling evidence (`test-attach-user-policy-json.log-expected.json`) |
+| `user.target.name` | `aws.request.parameters.userName` | `data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy"` | medium | **fallback** — sibling evidence |
+| `entity.target.id` | `aws.resources.arn` (multi-value) | S3 PutObject/GetObject | — | **ingest-only** — sibling fixture shows two resources per S3 event (Object + Bucket); `MV_FIRST` ordering not guaranteed; cannot reliably identify correct ARN at query time |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `rpc.method` | `data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IS NOT NULL` | high | **vendor fallback** — CloudTrail `eventName` surrogate; absent at collection on OTel path |
+
+### Detection flags (mandatory)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** When `actor_exists` is true, actor output columns keep their current values (classic `aws.cloudtrail` entity enrichment or downstream ingest). When false, apply OTel vendor fallbacks. Same for `target_exists` / `action_exists`. OTel indices typically have empty `*.target.*` and `event.action`, so fallbacks apply.
+
+### Combined ES|QL — actor fields
+
+Column-level preserve: `CASE(col IS NOT NULL, col, cond AND src IS NOT NULL, src, null)`.
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type IN ("IAMUser", "AssumedRole", "FederatedUser", "Root", "IdentityCenterUser") AND aws.principal.arn IS NOT NULL, aws.principal.arn,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AssumedRole" AND aws.user_identity.session_context.issuer.user_name IS NOT NULL, aws.user_identity.session_context.issuer.user_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.cloudtrail.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AWSService" AND aws.user_identity.invoked_by IS NOT NULL, aws.user_identity.invoked_by,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IS NOT NULL, rpc.method,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+Column-level preserve. For `entity.target.id` from `aws.resources.arn`: the sibling fixture `test-put-object-json.log-expected.json` shows **two** resources per S3 PutObject event (`AWS::S3::Object` and `AWS::S3::Bucket`) with no guaranteed ordering. `MV_FIRST(aws.resources.arn)` cannot reliably identify the S3 object ARN vs. the bucket ARN. `entity.target.id` is therefore **omitted** from the query-time EVAL and documented as ingest-only below.
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "GetCallerIdentity" AND rpc.service IS NOT NULL, rpc.service,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IN ("PutObject", "GetObject") AND rpc.service IS NOT NULL, rpc.service,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+Unscoped `FROM logs-*` — dataset routing in `CASE` fallback branches only (no `WHERE data_stream.dataset`):
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type IN ("IAMUser", "AssumedRole", "FederatedUser", "Root", "IdentityCenterUser") AND aws.principal.arn IS NOT NULL, aws.principal.arn,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AssumedRole" AND aws.user_identity.session_context.issuer.user_name IS NOT NULL, aws.user_identity.session_context.issuer.user_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.cloudtrail.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AWSService" AND aws.user_identity.invoked_by IS NOT NULL, aws.user_identity.invoked_by,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IS NOT NULL, rpc.method,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "GetCallerIdentity" AND rpc.service IS NOT NULL, rpc.service,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IN ("PutObject", "GetObject") AND rpc.service IS NOT NULL, rpc.service,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, rpc.method, rpc.service, user.id, user.name, host.ip, service.name, service.target.name, user.target.id, user.target.name
+```
+
+### Streams excluded
+
+- **Digest records** (`aws.cloudtrail.digest.*`) — integrity metadata only; no `userIdentity`, `rpc.method`, or actor/target extraction.
+
+### Gaps and limitations
+
+- **`entity.target.id` — ingest-only (array constraint):** `aws.resources` is a CloudTrail array of objects. ES|QL flattens it to multi-value `aws.resources.arn`. Array indexing (`aws.resources[0].arn`) is **not valid ES|QL syntax**. The sibling fixture `test-put-object-json.log-expected.json` shows **two** resources for a single PutObject event: `AWS::S3::Object` (`arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json`) and `AWS::S3::Bucket` (`arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket`). `MV_FIRST(aws.resources.arn)` ordering is not guaranteed — the S3 object ARN and bucket ARN cannot be reliably distinguished at query time. Populate `entity.target.id` via ingest pipeline (e.g., Painless script iterating `resources[]` by type) or use the classic `aws.cloudtrail` enrichment path which already sets `service.target.entity.id`.
+- **Tier B ceiling** — dashboard ES|QL aggregates `rpc.service`, `rpc.method`, `rpc.system`, `aws.access_key.id`, `aws.error.code`, `user_agent.original`; it does not reference `aws.principal.arn`, `user.name`, or `aws.resources` — operation-specific `CASE` branches rely on **sibling evidence**, not package fixtures.
+- **`event.action`** — absent at collection on OTel path; fallback copies `rpc.method` only when `action_exists` is false.
+- **No Agent `data_stream/` definition** — router value `aws.cloudtrail.otel` from `discovery.datasets` + dashboard filter, not ingest-pipeline-verified.
+- **Classic entity enrichment absent** — if downstream ingest populates `user.target.*` / `service.target.*`, `target_exists` preserves them; OTel-only indices rely on guarded fallbacks.
+- **`user.domain` / `user.email` / `host.target.*`** — no defensible OTel sources; omitted.
+- **`entity.id` for access keys** — `aws.access_key.id` is an actor facet; not mapped to `entity.id` to avoid conflating credential with principal.
diff --git a/dev/domain/p1/aws_securityhub.md b/dev/domain/p1/aws_securityhub.md
new file mode 100644
index 00000000000..af383cb5b18
--- /dev/null
+++ b/dev/domain/p1/aws_securityhub.md
@@ -0,0 +1,524 @@
+# aws_securityhub
+
+## Product Domain
+
+AWS Security Hub is a cloud security posture management (CSPM) and security findings aggregation service that provides a centralized view of security alerts and compliance status across an AWS organization. It collects, normalizes, and prioritizes findings from native AWS security services—Amazon GuardDuty (threat detection), Amazon Inspector (vulnerability assessment), Amazon Macie (sensitive data discovery), AWS Config (configuration compliance), AWS IAM Access Analyzer, and AWS Firewall Manager—as well as from third-party partner products integrated via the AWS Security Finding Format (ASFF) and the newer Open Cybersecurity Schema Framework (OCSF).
+
+Security Hub evaluates AWS resources against security standards and best-practice controls, including the AWS Foundational Security Best Practices standard, CIS AWS Foundations Benchmark, PCI DSS, and NIST frameworks. Findings are scored by severity, workflow status, and compliance state, enabling security teams to triage posture misconfigurations, active threats, vulnerabilities, and data-exposure risks from a single console. Automated response actions, custom insights, and cross-account aggregation (via delegated administrator) support enterprise-scale cloud security operations.
+
+From a SIEM perspective, Security Hub is the canonical aggregation point for AWS-native and partner security signals. Rather than integrating each AWS service separately, teams can ingest unified OCSF findings that retain source product context (GuardDuty, Inspector, Macie, Config rules, Security Hub controls) while sharing a common schema for severity, resource identity, remediation guidance, and compliance mapping.
+
+The Elastic AWS Security Hub integration ingests findings via the Security Hub REST API (`GetFindingsV2`) and normalizes them to ECS-aligned fields for search, dashboards, cloud security workflows, and vulnerability management in Elastic Security. Elasticsearch latest transforms deduplicate findings and surface current vulnerability posture for CDR views.
+
+## Data Collected (brief)
+
+The integration collects one data stream via **CEL/AWS API** (`securityhub:GetFindings` on `/findingsv2`):
+
+| Data stream | Description |
+|---|---|
+| **finding** (`aws_securityhub.finding`) | Security Hub findings in **OCSF format**—compliance/posture results (Security Hub controls, AWS Config rules), **vulnerability findings** (Amazon Inspector CVEs with CVSS, package, and remediation context), and threat/detection findings from GuardDuty and partner products. Includes severity, status, affected AWS resources, compliance standards/controls, remediation references, actor/evidence/malware/attack/OSINT objects where present, and vendor source metadata. |
+
+Events are mapped to ECS fields (`cloud`, `resource`, `rule`, `vulnerability`, `threat`, `result`) with full OCSF detail under `aws_securityhub.finding.*`. **Latest transforms** maintain deduplicated finding state and a vulnerability-latest index for Elastic Security cloud CDR and vulnerability workflows.
+
+## Expected Audit Log Entities
+
+Single **`finding`** stream (`aws_securityhub.finding`) from Security Hub `GetFindingsV2` via CEL/API. Events are **OCSF security findings** (posture, vulnerability, and threat **state**), not platform audit logs such as CloudTrail API activity. Actor/target semantics still matter for CDR correlation and entity analytics. Fixtures cover **Compliance Finding** (`class_uid: 2003`) and **Vulnerability Finding** (`class_uid: 2002`) only; the pipeline also accepts **Detection Finding** (`2004`) and **Incident Finding** (`2006`) with `actor`/`device`/`malware`/`attacks` objects, but those classes are absent from package tests. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` are populated; no `destination.user.*` / `destination.host.*` in pipelines (`destination_identity_hits.csv` has no aws_securityhub row). Target-fields audit classifies this package as **`none`** with no tier-A ECS target mappings (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is populated on the finding stream** — OCSF finding lifecycle verbs `Create` and `Update` from `aws_securityhub.finding.activity_name` (`default.yml` L1161–1165). These describe finding record create/update, not the underlying security operation (compliance check, CVE scan, threat detection). Elasticsearch transforms reference `activity_id: 3` (Close) for vulnerability deduplication but that value is absent from pipeline fixtures.
+
+Evidence: `packages/aws_securityhub/data_stream/finding/sample_event.json`, `finding/_dev/test/pipeline/test-findings.log-expected.json`, `finding/elasticsearch/ingest_pipeline/default.yml`, `pipeline_object_actor.yml`, `pipeline_object_resources.yml`, `finding/fields/fields.yml`.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `Create` | finding_lifecycle | high | `event.action: Create` with `activity_id: 1` in compliance and vulnerability fixtures (`test-findings.log-expected.json`, `sample_event.json`) | **`finding`** — new Security Hub finding record (first observation of control failure, new CVE, etc.) |
+| `Update` | finding_lifecycle | high | `event.action: Update` with `activity_id: 2` on resynced Inspector CVEs and updated compliance findings | **`finding`** — finding metadata or status refreshed; not a distinct security operation replay |
+
+Detection/incident classes (`2004`/`2006`) would use the same OCSF activity mapping when present; no fixtures today. **`activity_id: 3` (Close)** is referenced in `latest_cdr_vulnerabilities/transform.yml` for deduplication but not exercised in pipeline tests.
+
+The mapped action is **finding lifecycle**, not evaluator behavior. Compliance evaluation (`AWS::Config::ConfigRule`), vulnerability scanning (`Inspector`), and threat detection (`GuardDuty`) are identified by `metadata.product.name`, `finding_info.analytic.*`, and `class_name` — not by `event.action`.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `aws_securityhub.finding.activity_name` → `event.action` | yes | partial | `Create`, `Update` | no | `default.yml` L1161–1165 `copy_from`; vendor field removed L2016 unless `preserve_duplicate_custom_fields` tag (fixtures retain both) |
+| `aws_securityhub.finding.activity_id` | no | n/a | `1` (Create), `2` (Update) | no | Numeric OCSF activity ID; paired with `activity_name` |
+| `aws_securityhub.finding.type_name` | no | n/a | `Compliance Finding: Create`, `Vulnerability Finding: Update` | partial | Composite class + activity; vendor-only in fixtures |
+| `aws_securityhub.finding.class_name` | no | n/a | `Compliance Finding`, `Vulnerability Finding` | partial | Finding class/type — not a verb; complements `event.action` |
+| `aws_securityhub.finding.action` / `.action_id` | no | n/a | — (absent from fixtures) | partial | OCSF control/policy disposition action per `fields.yml`; distinct from finding `activity_*` |
+| `finding_info.analytic.category` | no | n/a | `AWS::Config::ConfigRule` | partial | Evaluator type on compliance findings — describes who evaluated, not lifecycle verb |
+| `compliance.control` / `rule.id` | no | n/a | `SQS.3`, `SSM.1` | partial | Security control evaluated — Layer 3 artifact, not `event.action` |
+| `result.evaluation` | no | n/a | `passed`, `failed`, `unknown` | no | Control/check outcome; maps to `result.evaluation`, not action |
+| `event.type` / `event.category` / `event.kind` | n/a (downstream) | yes | `info`; `vulnerability` (class 2002); `state` or `alert` (2004/2006) | no | Event taxonomy — do not substitute for `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `finding` | yes | yes | `aws_securityhub.finding.activity_name` → `event.action` | high | `default.yml` L1161–1165; all 10 events in `test-findings.log-expected.json` (`Create` × 5, `Update` × 5); `sample_event.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Security Hub / AWS Config rule evaluator | service | — | high | `metadata.product.name: "Security Hub"`, `finding_info.analytic.category: "AWS::Config::ConfigRule"`, `event.kind: state` | **Compliance Finding** (`2003`) — automated posture check; no `actor` object in fixtures |
+| Amazon Inspector vulnerability scanner | service | — | high | `metadata.product.name: "Inspector"`, `vulnerability.scanner.vendor: "Inspector"` | **Vulnerability Finding** (`2002`) — automated scan; no interactive principal |
+| GuardDuty / partner threat actor (OCSF `actor`) | user | — | low | Pipeline invokes `pipeline_object_actor.yml` when `actor` present; appends `actor.user.*` / `actor.process.auid`/`euid` → `related.user` only — **not** observed in fixtures | **Detection / Incident Finding** (`2004`/`2006`) — inferred from schema; IAM user, assumed role, or process identity |
+| Threat actor process / session host | host | — | low | `device.*` → `related.hosts` / `related.ip`; `pipeline_object_device.yml` when `device` present | Detection/incident only; absent from current fixtures |
+| Finding assignee (workflow owner) | user | — | low | `assignee.*` appended to `related.user` (`default.yml`); vendor-only otherwise | Not the evaluator of the control/CVE — SOC workflow context |
+| Resource / device owner | user | — | low | `resources[].owner.*`, `device.owner.*` → `related.user` | Owner of affected asset, not finding author |
+
+**No actor in fixtures:** All 10 pipeline test events (compliance + vulnerability) omit `aws_securityhub.finding.actor` and `device`. Evaluation is implied by the source product (`Security Hub`, `Inspector`).
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `aws_securityhub.finding.metadata.product.name` | Source product performing evaluation | no (vendor-only) | n/a | high | `"Security Hub"` (controls), `"Inspector"` (CVEs) — canonical actor service identity |
+| `aws_securityhub.finding.actor.user.*` | OCSF threat/principal identity | no (vendor-only) | n/a | low | Schema in `fields.yml`; pipeline normalizes types but never maps to `user.*` |
+| `aws_securityhub.finding.actor.process.auid` / `.euid` | Process actor IDs | partial | partial | low | Appended to `related.user` only (`default.yml` append processors) |
+| `related.user` (from `actor.*`, `assignee.*`, `device.owner.*`, `resources.owner.*`) | Actor + owner enrichment bag | yes | partial | medium | Mixes threat actors, assignees, and resource owners in one array — not structured actor fields |
+| `user.*` | Security principal | no | n/a | high | No `user.id`/`user.name` from `actor` in pipeline; only `user.id` when resource type is `AWS::IAM::User` (target, not actor) |
+| `observer.vendor` | Aggregation platform | yes | yes (context) | high | Static `"AWS Security Hub"` — collector/aggregator, not finding actor |
+| `organization.name` | Vendor org | yes | yes (scope) | high | `metadata.product.vendor_name` → `"AWS"` — tenancy context, not actor |
+| `cloud.account.id` | AWS account scope | yes | yes (scope) | high | `finding.cloud.account.uid` — evaluation scope, not actor |
+| `event.provider` | Log/source product label | yes | yes (context) | medium | `metadata.log_provider` or `metadata.product.vendor_name` |
+| `vulnerability.scanner.vendor` | Scanner product | yes | yes (context) | high | `"Inspector"` on vulnerability fixtures — reinforces service actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Product that generated or evaluated the finding | AWS Security Hub; Amazon Inspector | service | — | high | `metadata.product.name`; `vulnerability.scanner.vendor` | Layer 1 is the **finding source**, not `cloud.service.name` (which holds CFN resource type — see Gaps) |
+| 2 — Resource / object | AWS resource under evaluation or with the vulnerability | EC2 instance, SQS queue, Lambda function, AWS account | host / service / general | cloud_resource | high | `script_extract_fields_from_resource` promotes primary `resources[]` entry → `resource.*`, type-specific `host.*`/`user.id`/`group.id`/`orchestrator.*` | Type-dependent: EC2 → **host**; Lambda → **service**; SQS/account → **general** |
+| 3 — Content / artifact | Control, CVE, or affected package on the asset | Security Hub control; CVE; OS/package | general | security_control, cve, software_package | high | `rule.id`/`rule.name` (compliance); `vulnerability.id`/`package.*` (Inspector) | CVE/package describe finding **content** on Layer 2 asset — not standalone audit targets |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `resource.id` / `resource.type` | 2 | general | yes | yes | `entity.target.id` / `.type` | yes | Primary resource from `resources[].uid`/`type` — SQS URL, instance id, Lambda name, account id |
+| `host.id` / `host.name` / `host.ip` / `host.type` | 2 | host | yes (EC2 only) | yes | `host.target.*` | yes | `AWS::EC2::Instance` — e.g. SSM.1 `i-abcd1235cdef1234`, CVE fixtures with EC2 IPs |
+| `cloud.service.name` | 2 | general | yes | partial | `entity.target.type` or `service.target.name` | yes | Set from `resources[].type` (CFN type e.g. `AWS::EC2::Instance`) — **not** the Layer 1 scanning product |
+| `cloud.instance.id` / `cloud.machine.type` | 2 | host | yes (EC2) | yes | `host.target.*` (context) | yes | EC2 detail from `awsEc2InstanceDetails` |
+| `orchestrator.cluster.name` / `.id` | 2 | general | yes | yes | context-only | no | EKS tag `aws:eks:cluster-name` or `AWS::EKS::Cluster` resource |
+| `user.id` | 2 | user | partial | yes (when IAM User resource) | `user.target.id` | yes | Only when `resources[].type == AWS::IAM::User` — not in current fixtures |
+| `group.id` | 2 | general | partial | yes (when IAM Group resource) | `entity.target.id` | yes | `AWS::IAM::Group` path in resource script — not in current fixtures |
+| `rule.id` / `rule.name` / `rule.description` | 3 | general | yes | yes (control context) | context-only | no | Compliance controls `SQS.3`, `SSM.1`, `Redshift.3` — evaluated rule, distinct from resource |
+| `result.evaluation` | 3 | general | yes | yes | context-only | no | `passed`/`failed`/`unknown` from `compliance.status_id` |
+| `vulnerability.id` / `vulnerability.cve` | 3 | general | yes | yes (finding content) | context-only | no | CVE IDs on Inspector findings — artifact on asset, not entity target |
+| `package.name` / `package.version` | 3 | general | yes | yes (finding content) | context-only | no | Affected packages on EC2/Lambda CVE fixtures |
+| `aws_securityhub.finding.resources[]` | 2 | varies | partial | n/a | `entity.target.*` / `host.target.*` | yes | Full resource array with `data.awsEc2InstanceDetails`, `awsLambdaFunctionDetails`, tags, owner — only primary promoted to ECS |
+| `aws_securityhub.finding.resources[].owner.*` | 2 | user | no | n/a | `user.target.*` | yes | Appended to `related.user` only; Lambda fixture owner account in vendor tree |
+| `related.user` (resource/device owners) | 2 | user | partial | partial | `user.target.*` | yes | Owner UIDs/names in enrichment bag — de-facto target identity, not `user.target.*` |
+| `related.ip` / `related.hosts` | 2 | host | partial | yes (enrichment) | context-only | no | EC2 IPs and hostnames from resources/device |
+
+### Gaps and mapping notes
+
+- **`event.action` maps finding lifecycle only** — `activity_name` (`Create`/`Update`) correctly reflects OCSF finding activity but not the security operation (compliance check, CVE scan, GuardDuty detection). For richer action semantics, consider a composite or alternate field such as `compliance.control`, `class_name`, or `finding_info.analytic.category` — none are copied to `event.action` today.
+- **No ECS `*.target.*` today** — primary resource maps to `resource.*`/`host.*`/`user.id` but not official target fields. Target-fields audit: **`none`**, all enhancement flags false.
+- **`cloud.service.name` conflates Layer 1 and Layer 2** — pipeline sets it from `resources[].type` (CFN type like `AWS::SQS::Queue`), while Layer 1 source product (`Inspector`, `Security Hub`) stays vendor-only under `metadata.product.name`. Enhancement: separate scanning product (`service.target.*`) from affected resource type.
+- **Actor identity only in `related.user`** — `actor.user.*` never promotes to `user.*`; threat-actor semantics require parsing `related.user` or vendor `aws_securityhub.finding.actor.*`.
+- **`user.id` from IAM User resource is a target, not actor** — resource script maps `AWS::IAM::User` → `user.id` for the evaluated object.
+- **No `destination.user.*` / `destination.host.*`** — not used; resource/host targets are direct ECS fields or vendor `resources[]`.
+- **Multi-resource findings** — only sole resource or `labels` containing `primary_resource` is promoted; additional resources remain vendor-only (`default.yml` comment).
+- **`actor`/`device`/GuardDuty objects unverified** — pipelines exist for classes `2004`/`2006` but no fixture coverage; classifications above for detection/incident are schema-inferred.
+- **Vendor `analysis_targets`** — `aws_securityhub.finding.anomaly_analyses.analysis_targets` in `fields.yml` flagged in `vendor_target_special_cases.csv`; not mapped to ECS and not in fixtures.
+- **OCSF `action_id`/`action` unused** — separate from `activity_id`/`activity_name`; describes control disposition per `fields.yml` but absent from fixtures and not mapped to ECS.
+
+### Per-stream notes
+
+#### `finding` — Compliance Finding (`class_uid: 2003`)
+
+Posture/state events (`event.kind: state`). **`event.action`**: `Create` (new control result) or `Update` (resynced evaluation). Actor is the automated Security Hub/Config evaluator (service). Targets: evaluated AWS resource (`AWS::SQS::Queue` for SQS.1/SQS.3, `AWS::EC2::Instance` for SSM.1, `AWS::::Account` for Redshift.3 empty evaluation) plus Layer 3 control (`rule.id`). Outcome in `result.evaluation`.
+
+#### `finding` — Vulnerability Finding (`class_uid: 2002`)
+
+Vulnerability/state events (`event.category: vulnerability`, `event.kind: state`). **`event.action`**: `Create` (first Inspector observation) or `Update` (CVE resync). Actor is Inspector scanner (service). Targets: affected asset — EC2 instances with `host.*` and EKS cluster tags, or Lambda functions (`AWS::Lambda::Function` with `awsLambdaFunctionDetails` vendor-only). Layer 3: CVE + affected `package.*`. `transform_unique_id` set for deduplication transforms (skipped when `activity_id: 3` Close).
+
+## Example Event Graph
+
+All examples come from the single **`finding`** stream (`aws_securityhub.finding`). These are OCSF security **findings** (posture and vulnerability state), not CloudTrail-style platform audit logs. `event.action` reflects finding record lifecycle (`Create`/`Update`), not the underlying Config evaluation or Inspector scan operation.
+
+### Example 1: SQS queue passes public-access control
+
+**Stream:** `aws_securityhub.finding` · **Fixture:** `packages/aws_securityhub/data_stream/finding/sample_event.json`
+
+```
+Security Hub (service) → Create finding → SQS queue (evaluated resource)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `arn:aws:securityhub:us-east-2::productv2/aws/securityhub` |
+| name | Security Hub |
+| type | service |
+
+**Field sources:**
+
+- `id` ← `aws_securityhub.finding.metadata.product.uid`
+- `name` ← `aws_securityhub.finding.metadata.product.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Create |
+| source_field | `event.action` |
+| source_value | `Create` |
+
+`Create` is the OCSF finding lifecycle verb (`activity_name`) — Security Hub records a new finding about the queue, not an SQS `CreateQueue` API call.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding` |
+| type | general |
+| sub_type | cloud_resource |
+
+**Field sources:**
+
+- `id` ← `resource.id` (from `aws_securityhub.finding.resources[].uid`)
+- `type` / `sub_type` ← `resource.type` (`AWS::SQS::Queue`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Security Hub"] --> E["Create finding"]
+  E --> T["Target: securityhubfinding SQS queue"]
+```
+
+### Example 2: EC2 instance fails SSM management control
+
+**Stream:** `aws_securityhub.finding` · **Fixture:** `packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log-expected.json` (SSM.1 Update event)
+
+```
+Security Hub (service) → Update finding → EC2 instance i-abcd1235cdef1234 (evaluated resource)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `arn:aws:securityhub:us-east-2::productv2/aws/securityhub` |
+| name | Security Hub |
+| type | service |
+
+**Field sources:**
+
+- `id` ← `aws_securityhub.finding.metadata.product.uid`
+- `name` ← `aws_securityhub.finding.metadata.product.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Update |
+| source_field | `event.action` |
+| source_value | `Update` |
+
+`Update` is the OCSF finding lifecycle verb — Security Hub refreshes the compliance finding (`activity_id: 2`); `result.evaluation: failed` for control SSM.1. Not an EC2 configuration change.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `i-abcd1235cdef1234` |
+| name | `i-abcd1235cdef1234` |
+| type | host |
+| sub_type | cloud_resource |
+
+**Field sources:**
+
+- `id` ← `host.id`, `resource.id` (from `aws_securityhub.finding.resources[].uid`)
+- `name` ← `host.name`
+- `type` ← `resource.type` (`AWS::EC2::Instance`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Security Hub"] --> E["Update finding"]
+  E --> T["Target: i-abcd1235cdef1234"]
+```
+
+### Example 3: Inspector resyncs CVE on EKS worker node
+
+**Stream:** `aws_securityhub.finding` · **Fixture:** `packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log-expected.json` (CVE-2023-44487 Update event)
+
+```
+Inspector (service) → Update finding → EC2 instance i-0abcdef012345678b (affected asset)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `arn:aws:securityhub:us-east-2::productv2/aws/inspector` |
+| name | Inspector |
+| type | service |
+
+**Field sources:**
+
+- `id` ← `aws_securityhub.finding.metadata.product.uid`
+- `name` ← `aws_securityhub.finding.metadata.product.name`, `vulnerability.scanner.vendor`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Update |
+| source_field | `event.action` |
+| source_value | `Update` |
+
+`Update` is the OCSF finding lifecycle verb — Inspector resyncs CVE finding `CVE-2023-44487`; not a new `RunInstances` or scan invocation against the host.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `i-0abcdef012345678b` |
+| name | `i-0abcdef012345678b` |
+| type | host |
+| sub_type | cloud_resource |
+| ip | `10.90.1.245` |
+
+**Field sources:**
+
+- `id` ← `host.id`, `resource.id`
+- `name` ← `host.name`
+- `type` ← `resource.type` (`AWS::EC2::Instance`); `host.type`: `t3.medium`
+- `ip` ← `host.ip[0]` (fixture lists 19 private addresses)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Inspector"] --> E["Update finding"]
+  E --> T["Target: i-0abcdef012345678b"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (CEL/API, `policy_templates` + `data_stream/finding`). Router: **`data_stream.dataset`** (`aws_securityhub.finding` only). Tier A evidence from `sample_event.json` and `test-findings.log-expected.json`. OCSF security **findings** (posture/vulnerability state), not CloudTrail audit. Pass 4 is **fill-gaps-only**: detection flags first; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` — valid **3-arg**, **5-arg**, or **7-arg** forms only — not `CASE(actor_exists|target_exists, <col>, …)` and never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a boolean condition). Actor fallback is the **evaluating source product** (`metadata.product.*`); target fallback promotes the **primary evaluated resource** from indexed `host.*` / `resource.*` into official `*.target.*` columns (ingest never sets `*.target.*` today). Extraction is **partial** — detection/incident classes (`2004`/`2006`) with OCSF `actor` are pipeline-supported but absent from fixtures. **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` identity fallbacks; **`event.action` omitted from ES|QL** (ingest-only — `activity_name` → `event.action`, vendor field removed unless `preserve_duplicate_custom_fields`).
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `aws_securityhub.finding` | OCSF finding (compliance, vulnerability) | service | host, service, general | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.id` | `aws_securityhub.finding.metadata.product.uid` | `data_stream.dataset == "aws_securityhub.finding"` | high | **vendor fallback** — product ARN; ingest does not set `service.id` today |
+| `service.name` | `aws_securityhub.finding.metadata.product.name` | `data_stream.dataset == "aws_securityhub.finding"` | high | **vendor fallback** — `Security Hub`, `Inspector` |
+| `service.type` | `"service"` | `data_stream.dataset == "aws_securityhub.finding"` | low | **semantic literal** — Pass 3 service actor; omit if literal unwanted |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.id` | `host.id` | `data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance"` | high | **de-facto fallback** — promote evaluated EC2 instance |
+| `host.target.name` | `host.name` | `data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance"` | high | **de-facto fallback** |
+| `host.target.ip` | `host.ip` | `data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance"` | high | **de-facto fallback** — `host.ip` is genuinely multi-valued (19 IPs per instance in fixtures); use full multi-value field, not `MV_FIRST` — all IPs belong to the same target EC2 instance; `host.target.ip` is also an ECS `ip` array field |
+| `service.target.id` | `resource.id` | `data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::Lambda::Function"` | high | **de-facto fallback** — Lambda function name (fixture) |
+| `user.target.id` | `user.id` | `data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::IAM::User"` | medium | **de-facto fallback** — evaluated IAM user; **not in fixtures** |
+| `entity.target.id` | `resource.id` | `data_stream.dataset == "aws_securityhub.finding" AND resource.type NOT IN ("AWS::EC2::Instance", "AWS::Lambda::Function", "AWS::IAM::User")` | high | **de-facto fallback** — SQS URL, account id, etc. |
+| `entity.target.type` | `resource.type` | `data_stream.dataset == "aws_securityhub.finding"` | high | **de-facto fallback** — CFN resource type |
+| `entity.target.sub_type` | `"cloud_resource"` | `data_stream.dataset == "aws_securityhub.finding"` | low | **semantic literal** — Pass 3 general target sub_type |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | — | — | high | **ingest-only — no ES\|QL** — `activity_name` → `event.action` (`default.yml` L1161–1165); vendor removed L2016 unless `preserve_duplicate_custom_fields` |
+
+### Detection flags (mandatory)
+
+`actor_exists` omits top-level `user.*` / `host.*` because ingest never promotes OCSF threat principals to ECS actor fields on fixture classes. `target_exists` checks official `*.target.*` only (ingest populates `host.*` / `resource.*`, not target namespace). **Actor/target `EVAL` blocks use column-level `IS NOT NULL` preserve** — not `CASE(actor_exists, service.id, …)` / `CASE(target_exists, host.target.id, …)` — so e.g. `entity.name` on a future detection row does not block `service.id` ← `metadata.product.uid` when `service.id` is empty (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Use **5-arg** `CASE(service.id IS NOT NULL, service.id, data_stream.dataset == "…", aws_securityhub.finding.metadata.product.uid, null)` — not **3-arg** `CASE(actor_exists, service.id, aws_securityhub.finding.metadata.product.uid)` (`metadata.product.uid` is a **condition**, not a value) and not **4-arg** `CASE(actor_exists, service.id, aws_securityhub.finding.metadata.product.uid, null)`.
+
+```esql
+| EVAL
+  actor_exists = service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  service.id = CASE(
+    service.id IS NOT NULL, service.id,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.uid,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.name,
+    null
+  ),
+  service.type = CASE(
+    service.type IS NOT NULL, service.type,
+    data_stream.dataset == "aws_securityhub.finding", "service",
+    null
+  )
+```
+
+`event.action` is **not** listed — ingest-only on all fixture classes; `CASE(action_exists, event.action, activity_name)` would repeat the output column when populated or reference a vendor field removed at ingest.
+
+### Combined ES|QL — target fields
+
+`host.target.ip` uses `host.ip` directly (all values): fixtures show 19 IPs per EC2 instance from `awsEc2InstanceDetails.ipV4Addresses` — every IP belongs to the same target host, and `host.target.ip` is an ECS `ip` array. `MV_FIRST(host.ip)` would discard all but the first IP with no benefit. `host.ip[0]` array indexing is **invalid ES|QL syntax** and must not be used.
+
+```esql
+| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.ip,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::Lambda::Function", resource.id,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::IAM::User", user.id,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "aws_securityhub.finding"
+      AND resource.type != "AWS::EC2::Instance"
+      AND resource.type != "AWS::Lambda::Function"
+      AND resource.type != "AWS::IAM::User", resource.id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws_securityhub.finding", resource.type,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "aws_securityhub.finding", "cloud_resource",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  service.id = CASE(
+    service.id IS NOT NULL, service.id,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.uid,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.name,
+    null
+  ),
+  service.type = CASE(
+    service.type IS NOT NULL, service.type,
+    data_stream.dataset == "aws_securityhub.finding", "service",
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.ip,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::Lambda::Function", resource.id,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::IAM::User", user.id,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "aws_securityhub.finding"
+      AND resource.type != "AWS::EC2::Instance"
+      AND resource.type != "AWS::Lambda::Function"
+      AND resource.type != "AWS::IAM::User", resource.id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws_securityhub.finding", resource.type,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "aws_securityhub.finding", "cloud_resource",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, service.name, host.target.id, host.target.name, host.target.ip, service.target.id, entity.target.id, resource.type
+```
+
+### Streams excluded
+
+- None — single `finding` stream only; no metrics or inventory streams in this package.
+
+### Gaps and limitations
+
+- **`host.target.ip` multi-value reasoning** — `host.ip` is populated from `awsEc2InstanceDetails.ipV4Addresses` (19 IPs per instance in both EC2 fixtures). All IPs belong to the single target EC2 instance; dropping all but `MV_FIRST` would lose useful IP data. `host.ip` is assigned directly so all IPs are preserved in `host.target.ip`. `host.ip[0]` array indexing is **invalid ES|QL** and must not appear anywhere in the query.
+- **OCSF threat `actor.user.*`** — pipeline appends to `related.user` only; no fixture-backed `user.id` actor — omit `user.*` actor columns until detection/incident fixtures exist.
+- **`cloud.service.name`** — CFN resource type from `resources[].type`; do not use as `service.target.name` (Layer 1 product stays `metadata.product.name`).
+- **`event.action`** — finding lifecycle (`Create`/`Update`) only; not Config evaluation or Inspector scan invocation; **ingest-only — no ES|QL** (`activity_name` copied then removed L2016).
+- **Pass 4 tautology / CASE syntax (§10)** — `event.action` `EVAL` omitted; actor/target columns use column-level `CASE(<col> IS NOT NULL, <col>, …)` (5+ args with dataset/`resource.type` guards); never 3-arg `CASE(actor_exists, service.id, vendor_field)` or 4-arg with a bare vendor field as the 3rd argument.
+- **Multi-resource findings** — only primary resource promoted to ECS; additional `resources[]` remain vendor-only.
+- **`entity.target.sub_type`** — semantic literal; omit column from production queries if literals are undesirable.
+- **Detection/incident (`2004`/`2006`)** — `actor`/`device` pipelines unverified; do not guess `user.*` actor from `related.user`.
diff --git a/dev/domain/p1/aws_vpcflow_otel.md b/dev/domain/p1/aws_vpcflow_otel.md
new file mode 100644
index 00000000000..9a353b063f9
--- /dev/null
+++ b/dev/domain/p1/aws_vpcflow_otel.md
@@ -0,0 +1,445 @@
+# aws_vpcflow_otel
+
+## Product Domain (AWS VPC Flow Logs via OTel)
+
+Amazon VPC Flow Logs capture metadata about IP traffic flowing through network interfaces in a VPC, subnet, or individual ENI. Each record summarizes a network flow—source and destination addresses and ports, protocol, packet and byte counts, flow start/end times, and whether traffic was accepted or rejected by security groups and network ACLs. Organizations enable flow logs for network visibility, capacity planning, anomaly detection, and security investigations (for example, identifying rejected connections or unexpected east-west traffic).
+
+The Elastic **AWS VPC Flow Logs OpenTelemetry Assets** package is a content integration that ships Kibana dashboards for telemetry ingested via OpenTelemetry—not an Elastic Agent log shipper. Collection is typically configured with the EDOT Cloud Forwarder (ECF) for AWS or a standalone OpenTelemetry Collector using the `awss3receiver`, `awslogsencodingextension` (VPC flow plain-text format), and `elasticsearchexporter`. Flow log files land in S3 (often under `AWSLogs/<account-id>/`) and are polled via SQS notifications; the OTel pipeline parses records into ECS-aligned documents indexed under the `aws.vpcflow.otel` dataset.
+
+This package complements the classic Elastic Agent **AWS** integration (`aws.vpcflow` data stream) by targeting the OTel ingestion path. It provides three linked dashboards—Overview, Traffic Analysis, and Interface Analysis—for monitoring flow volume, rejection rates, bandwidth, per-interface behavior, and rejected-traffic drill-down across cloud accounts.
+
+## Data Collected (brief)
+
+Logs only (no metrics). The package expects data already ingested with `data_stream.dataset: aws.vpcflow.otel` via OpenTelemetry; it does not define its own Elastic Agent data streams or ingest pipelines.
+
+Each document represents one VPC flow log record. Key fields surfaced in dashboards and typical OTel mappings include:
+
+| Field area | Examples |
+|---|---|
+| **Network (ECS)** | `source.address`, `destination.address`, `source.port`, `destination.port`, `network.protocol.name`, `network.interface.name` |
+| **AWS VPC flow (OTel)** | `aws.vpc.flow.action` (ACCEPT/REJECT), `aws.vpc.flow.bytes`, `aws.vpc.flow.packets` |
+| **Cloud context** | `cloud.account.id` |
+
+Standard VPC flow log attributes (version, VPC/subnet/instance IDs, TCP flags, log status, packet-level addresses, ECS task metadata, etc.) may also be present depending on the flow log format version and OTel encoding configuration. Collection requires AWS S3 bucket storage for flow logs, SQS queue notifications, and an OTel pipeline (ECF for AWS or collector with `awslogs_encoding/vpcflow`).
+
+## Expected Audit Log Entities
+
+Evidence is from `packages/aws_vpcflow_otel/docs/README.md`, bundled dashboard ES\|QL (`packages/aws_vpcflow_otel/_dev/shared/kibana/*.yaml`), and the OpenTelemetry `awslogsencodingextension` VPC flow field mapping ([OTel Collector Contrib README](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/encoding/awslogsencodingextension#vpc-flow-log-record-fields), tested at v0.138.0 per package README). This integration is **dashboards-only** — it expects data already ingested with `data_stream.dataset: aws.vpcflow.otel` via ECF for AWS or a standalone OTel collector; there are no Elastic Agent data streams, ingest pipelines, `fields.yml`, or package test fixtures.
+
+Each document is one **VPC flow log record** — network flow telemetry, not identity-centric audit logs. Rejected flows (`aws.vpc.flow.action == "REJECT"`) are audit-adjacent for security-group/NACL investigations but still lack authenticated principals. Actor and target are inferred from the flow 5-tuple (`source.*` / `destination.*`), well-known ports, and disposition fields. There is no `user.*` identity. ECS `*.target.*` fields are **not populated** (no row in `target_fields_audit.csv`). `destination.user.*` / `destination.host.*` are **not used** (absent from `destination_identity_hits.csv`). `target_enhancement_packages.csv` classifies `aws_vpcflow_otel` as **none** with no pipeline actor or destination identity evidence in this package.
+
+**`event.action` is absent on the OTel ingestion path.** OTel maps the VPC flow `action` field to **`aws.vpc.flow.action`** (`ACCEPT` / `REJECT`) only — it does not set `event.action`, `event.outcome`, or `event.type`. The classic Elastic Agent **`aws.vpcflow`** data stream copies `aws.vpcflow.action` → `event.action` and derives `event.outcome` / `event.type` (`allowed` / `denied`) in post-ingest pipeline (`packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml` L122–141); the OTel path does not. Bundled dashboards filter and aggregate on **`aws.vpc.flow.action`** directly (Overview, Traffic Analysis, Interface Analysis filter controls and breakdown panels).
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **`aws.vpcflow.otel`** | no (no package fixtures) | no (OTel encoding only) | `aws.vpc.flow.action` (`ACCEPT`, `REJECT`) | high | OTel README: `action` → `aws.vpc.flow.action`; dashboard ES\|QL filters `aws.vpc.flow.action == "REJECT"` / `"ACCEPT"` (`traffic.yaml` L138–139, L222–223, L328; `overview.yaml` L60, L196–197; `interface.yaml` L159–160, L280–281) |
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| Flow accepted (security group / NACL allow) | data_access | high | `aws.vpc.flow.action: ACCEPT`; "Accept vs Reject Over Time" and accept/reject KPI panels (`overview.yaml` L196–197; `interface.yaml` L280–281) | **`aws.vpcflow.otel`** — permitted flow summary |
+| Flow rejected (security group / NACL deny) | data_access | high | `aws.vpc.flow.action: REJECT`; "Top Rejected Ports", "Top Source IPs - Detailed", "Detailed Rejection Logs" (`traffic.yaml` L276–330) | **`aws.vpcflow.otel`** — audit-adjacent deny; primary security investigation filter |
+| Rejection cause (supplementary) | configuration_change | medium | `aws.vpc.flow.reject_reason` when present (OTel README: `reject-reason` field, format v6+) | **`aws.vpcflow.otel`** — explains *why* a REJECT occurred; not a separate verb from REJECT |
+| Network connection observed | connection | high | Implicit per-record semantics — one flow interval per document | **`aws.vpcflow.otel`** — no explicit "connect" verb; classic pipeline sets `event.type: [connection]` but OTel does not |
+
+There is no per-event API operation, authentication verb, or admin action — VPC flow logs record **network disposition** (allow/deny) for an observed flow, not who initiated a configuration change.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | — | Absent from OTel VPC flow encoding; no package fixtures |
+| `aws.vpc.flow.action` | no (vendor/OTel only) | yes (as disposition) | `ACCEPT`, `REJECT` | **yes** — copy to `event.action` (matches classic `aws.vpcflow` pipeline) | OTel README: `action` → `aws.vpc.flow.action`; dashboard primary action dimension (`traffic.yaml` L24 filter control; all three dashboards) |
+| `aws.vpc.flow.reject_reason` | no | n/a | e.g. SG rule mismatch codes (format v6+) | partial — supplement `event.reason`, not primary `event.action` | OTel README: `reject-reason` → `aws.vpc.flow.reject_reason`; classic pipeline copies to `event.reason` (`default.yml` L142–145) |
+| `event.outcome` | no | n/a | `success` (ACCEPT) / `failure` (REJECT) | **yes** — derive from `aws.vpc.flow.action` | Classic `aws.vpcflow` pipeline sets outcome from action (`default.yml` L122–129); OTel path omits |
+| `event.type` (`allowed` / `denied`) | no | n/a | `allowed`, `denied` | partial — belongs in `event.type`, not `event.action`; classic pipeline appends these (`default.yml` L130–137) | Distinct from `event.action` per ECS Event field-set; OTel omits both |
+| `event.category` / `event.type` (`connection`) | no | n/a | `[network]`, `[connection]` | partial — stream-level classification, not per-flow verb | Classic `aws.vpcflow` pipeline sets statically (`default.yml` L21–26); OTel omits |
+| `network.io.direction` | no | n/a | `ingress` / `egress` (format v5+ `flow-direction`) | no — traffic direction context, not action verb | OTel README: `flow-direction` → `network.io.direction`; not in dashboard ES\|QL |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Flow source endpoint | host | — | high | `source.address`, `source.port`; Traffic Analysis "Unique Source IPs", "Top Source IPs", and "Top Source IPs - Detailed" group by `source.address` (`traffic.yaml`; `aws_vpcflow_otel-traffic.json`) | Default for all flow records on `aws.vpcflow.otel` |
+| Flow initiator heuristic | host | — | medium | Ephemeral `source.port` toward well-known `destination.port` (e.g. client `:49152 → :443`); VPC flow logs expose tuple order only — no explicit client/server flag | Inferred from port pairing; not a separate field |
+| Rejected-flow initiator | host | — | high | `source.address`, `source.port` when `aws.vpc.flow.action == "REJECT"`; "Top Source IPs - Detailed" and "Detailed Rejection Logs" panels filter on REJECT (`traffic.yaml`) | Security investigation context |
+| Packet-level / NAT source | host | — | medium | OTel maps `pkt-srcaddr` → `source.address` when populated; may differ from `srcaddr` (`awslogsencodingextension` VPC flow mapping) | Format versions with packet-level fields |
+| ECS task–originated workload | host or service | — | medium | `aws.ecs.task.id`, `aws.ecs.task.arn`, `aws.ecs.container.id`, `aws.ecs.service.name` when present in OTel output (format v3+); not referenced in bundled dashboards | Optional enrichment on flow records |
+| AWS managed service source | service | — | medium | `aws.vpc.flow.source.service` ← `pkt-src-aws-service` (format v5+); not surfaced in dashboard ES\|QL | Rare; AWS-internal service attribution |
+| Network interface (ENI) | — | — | high | **Not the actor** — observation point only: `network.interface.name` ← `interface-id`; Interface Analysis filters and aggregates by interface (`interface.yaml`) | Scope anchor, not flow peer |
+| Cloud account | — | — | high | **Not the actor** — tenancy scope: `cloud.account.id`; Overview/Interface "Traffic by Cloud Account" and account KPIs (`overview.yaml`, `interface.yaml`) | Multi-account visibility only |
+
+No **user** actor is populated; VPC flow logs carry IP/port tuples only — no `user.name` / `user.id` in dashboard field lists or OTel VPC flow schema.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.address` | Flow origin host | yes (OTel) | yes | high | `srcaddr` / `pkt-srcaddr` → `source.address` (`awslogsencodingextension` VPC flow table); dashboard ES\|QL on `source.address` (`traffic.yaml`, `interface.yaml`) |
+| `source.port` | Flow origin port | yes (OTel) | yes | high | `srcport` → `source.port`; dashboard filter control (`traffic.yaml` L40) |
+| `aws.vpc.flow.source.service` | AWS service attribution | yes (OTel) | yes | medium | `pkt-src-aws-service` → `aws.vpc.flow.source.service` (format v5+); not in dashboard field lists |
+| `aws.ecs.task.id`, `aws.ecs.task.arn`, `aws.ecs.container.id`, `aws.ecs.service.name` | Container/workload origin | yes (OTel) | partial | medium | ECS metadata fields on format v3+ flows; vendor-only, not mapped to `host.*` / `service.*` ECS in OTel encoding |
+| `host.id` | EC2 instance hosting ENI | yes (OTel) | yes | medium | `instance-id` → `host.id` per OTel mapping; not used in bundled dashboards |
+| `network.interface.name` | ENI observation point | yes (OTel) | n/a | high | `interface-id` → `network.interface.name`; identifies where flow was captured, not who initiated it |
+| `cloud.account.id` | AWS account scope | yes (OTel) | n/a | high | `account-id` → `cloud.account.id`; tenancy context, not actor |
+| `cloud.region` | AWS region scope | yes (OTel) | n/a | medium | `region` → `cloud.region`; not referenced in dashboards |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Network protocol / service | Application protocol or well-known service on destination port | TCP/443, UDP/53, … | service | — | high | `destination.port` + `network.protocol.name`; "Top Destination Ports", "Top Rejected Ports", protocol breakdown panels across all three dashboards (`overview.yaml`, `traffic.yaml`, `interface.yaml`) | Primary service-layer target |
+| 2 — Host / endpoint | IP peer receiving or serving traffic | Internal server, external host, blocked endpoint | host | — | high | `destination.address`, `destination.port`; "Top Destination IPs", "Unique Destination IPs", rejection drill-down (`traffic.yaml` L328–330; `interface.yaml`) | Default flow peer |
+| 2 — AWS managed service destination | AWS-internal service receiving traffic | S3, DynamoDB, … | service | — | medium | `aws.vpc.flow.destination.service` ← `pkt-dst-aws-service` (format v5+); not in dashboard ES\|QL | Optional format v5+ enrichment |
+| 2 — ECS task–targeted workload | Container/service receiving traffic | ECS task/service | host or service | — | medium | ECS metadata on destination-side flows when present in OTel output; not used in dashboards | Format v3+ only |
+| 3 — Flow instance / disposition | Bytes, packets, accept/reject disposition for this flow record | Single flow summary | general | network_flow | high | `aws.vpc.flow.bytes`, `aws.vpc.flow.packets`, `aws.vpc.flow.action`; rejection table shows tuple + volume (`traffic.yaml` L328–330) | All records; disposition is event action, not entity target |
+
+**Observation context (not flow peer):** `network.interface.name` identifies the ENI where the flow was logged — infrastructure anchor (`general`, network-interface), not the remote destination.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `destination.address` | 2 | host | yes (OTel) | yes | context-only (network peer) | partial → `host.target.ip` | `dstaddr` / `pkt-dstaddr` → `destination.address`; "Top Destination IPs" ES\|QL (`traffic.yaml` L394–395) — network semantics, not official ECS audit target |
+| `destination.port` | 1/2 | service/host | yes (OTel) | yes | context-only | partial → `host.target.port` / `service.target.name` | `dstport` → `destination.port`; well-known ports imply service layer |
+| `network.protocol.name` | 1 | service | yes (OTel) | yes | context-only | partial → `service.target.name` | `protocol` → `network.protocol.name`; protocol breakdown panels |
+| `aws.vpc.flow.destination.service` | 2 | service | yes (OTel) | yes | — | yes → `service.target.name` | `pkt-dst-aws-service`; vendor-only, no ECS target mapping |
+| `aws.vpc.flow.bytes`, `aws.vpc.flow.packets` | 3 | general | yes (OTel) | n/a | context-only | no | Flow volume metrics on rejection drill-down (`traffic.yaml` L329–330) |
+| `aws.vpc.flow.reject_reason` | 3 | general | yes (OTel) | n/a | context-only | no | Deny explanation when security group/NACL blocks flow; action semantics documented under Event action |
+| `network.interface.name` | — | general | yes (OTel) | n/a | context-only | no | ENI observation point; Interface Analysis aggregates (`interface.yaml`) — not remote peer |
+| `aws.vpc.id`, `aws.vpc.subnet.id`, `host.id` | 2 | host | yes (OTel) | partial | context-only | partial → `host.target.id` | VPC/subnet/instance IDs from OTel encoding; infrastructure context, not in dashboards |
+
+### Gaps and mapping notes
+
+- **`event.action` gap on OTel path** — `aws.vpc.flow.action` (`ACCEPT` / `REJECT`) is the canonical per-flow verb but remains vendor-namespaced; OTel encoding does not copy to `event.action`. Classic **`aws.vpcflow`** pipeline does (`default.yml` L138–141). Recommended enhancement: downstream ingest processor or OTel exporter normalization to set `event.action` ← `aws.vpc.flow.action`, plus `event.outcome` and `event.type` parity with classic integration.
+- **No ECS `*.target.*` fields** — flow peers live under `destination.*` as network endpoints; `target_enhancement_packages.csv` classifies this package as **none** (no Tier-A target mapping, no pipeline evidence in-package).
+- **`destination.*` is network context, not de-facto user/host audit target** — unlike firewall auth or email logs, VPC flow records never populate `destination.user.*` or `destination.host.*`; all destination fields are 5-tuple peers.
+- **Dashboard-only evidence** — no `sample_event.json` or `*-expected.json`; classifications rely on dashboard ES\|QL field usage (`_dev/shared/kibana/*.yaml`) plus OTel `awslogsencodingextension` VPC flow attribute mapping documented upstream.
+- **Rich vendor fields not surfaced in dashboards** — `aws.ecs.*`, `aws.vpc.flow.source.service`, `aws.vpc.flow.destination.service`, `host.id`, `aws.vpc.id`, `network.io.direction`, and `aws.vpc.flow.reject_reason` may exist in ingested documents but are absent from bundled panel KEEP/filter clauses.
+- **`network.interface.name` vs flow peers** — ENI identifies where traffic was observed (scope/filter dimension), not actor or remote target; do not conflate with `source.address` / `destination.address`.
+- **No user identity** — VPC flow logs have no authenticated principal; ephemeral ports and IP addresses are the only actor signals.
+- **Correlate with classic integration** — For `event.action` / `event.outcome` / ECS target enrichment parity, use classic **`aws.vpcflow`** post-ingest pipeline or add downstream processors on `aws.vpcflow.otel` indices.
+
+### Per-stream notes
+
+#### aws.vpcflow.otel
+
+Single dataset for VPC (and Transit Gateway) flow logs ingested via ECF for AWS or standalone OTel collector (`awss3receiver` + `awslogsencodingextension` format `vpcflow`). OTel maps flow 5-tuple to `source.*` / `destination.*`, disposition to **`aws.vpc.flow.action`**, and cloud context to `cloud.account.id`, `cloud.region`, `network.interface.name`, etc. Per-event **action** is flow allow/deny (`ACCEPT` / `REJECT`) — not an API or admin verb. Actor is **host** (source IP/port) or occasionally **service** (AWS-internal `aws.vpc.flow.source.service` / `aws.vpc.flow.destination.service`). Target is Layer 1 **protocol/service** (`destination.port`, `network.protocol.name`), Layer 2 **flow peer** (`destination.address`), and Layer 3 **flow instance** (bytes/packets/disposition). All three dashboards query the same dataset; Traffic Analysis provides the richest actor/target/action drill-down (source/destination IPs, ports, rejection table).
+
+## Example Event Graph (illustrative — no package fixtures)
+
+**Package type: assets-with-sibling (dashboards-only)** — `packages/aws_vpcflow_otel/` ships Kibana dashboards and discovery metadata only; no Elastic Agent `data_stream/`, ingest pipelines, or `sample_event.json`. VPC flow records are ingested **outside** this package via ECF for AWS or a standalone OpenTelemetry Collector (`awslogsencodingextension`, format `vpcflow`); bundled dashboards query customer indices where `data_stream.dataset == "aws.vpcflow.otel"` (manifest discovery `aws.vpcflow.otel`; all dashboard filters and ES|QL use `data_stream.dataset`, not `event.dataset`).
+
+Patterns below are **field/schema illustrations** from bundled dashboard ES|QL (Tier B) — **not** single indexed documents collected by this package. On the OTel path, disposition is **`aws.vpc.flow.action`** (`ACCEPT` / `REJECT`); **`event.action` is not set** (classic `aws.vpcflow` Agent pipeline copies `aws.vpcflow.action` → `event.action` — different encoding). Sibling **`packages/aws/data_stream/vpcflow/`** fixtures may be cited **only** for plain-text VPC flow field-layout comparison; they are **not** OTel-ingested events for this package.
+
+**Common-sense read-aloud (schema):** “Flow source endpoint did allow/deny disposition to destination peer or service.” `network.interface.name` is observation scope (ENI), not actor or remote target.
+
+### Pattern 1: Permitted flow trend (ACCEPT / REJECT over time)
+
+**Log type:** `data_stream.dataset == "aws.vpcflow.otel"` · **Evidence:** `packages/aws_vpcflow_otel/_dev/shared/kibana/overview.yaml` (Tier B — "Accept vs Reject Over Time", L196–197)
+
+```
+host (source.address, source.port) → aws.vpc.flow.action (ACCEPT | REJECT) → service/host (destination.address, destination.port, network.protocol.name)
+```
+
+**Read-aloud:** “Source host permitted or denied traffic to a destination peer or well-known port/protocol.”
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — `source.address`, `source.port` in dashboard controls and Top Source panels (`traffic.yaml` L37–40, L418+) |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | flow accepted / flow rejected (normalized labels) |
+| source_field | `aws.vpc.flow.action` |
+| source_value | `ACCEPT`, `REJECT` (filter literals in dashboard ES\|QL — not `event.action`) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | service or host — `destination.port`, `network.protocol.name`, `destination.address` (Overview protocol breakdown L120+; classic OTel maps `protocol` → `network.protocol.name`) |
+
+**Scope context (not target):** `cloud.account.id`, `network.interface.name` — dashboard filters only.
+
+### Pattern 2: Rejected-flow security drill-down
+
+**Log type:** `data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.action == "REJECT"` · **Evidence:** `packages/aws_vpcflow_otel/_dev/shared/kibana/traffic.yaml` (Tier B — Security Deep Dive, L276–330)
+
+```
+host (source.address) → REJECT (aws.vpc.flow.action filter literal) → host/service (destination.address, destination.port, network.protocol.name)
+```
+
+**Read-aloud:** “Source host had traffic rejected toward a destination IP/port or protocol bucket.” Audit-adjacent (SG/NACL deny) but still no authenticated user principal.
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — `source.address`; "Top Source IPs - Detailed" and rejection table group/filter on source (`traffic.yaml` L328–330 KEEP list) |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | flow rejected |
+| source_field | `aws.vpc.flow.action` |
+| source_value | `REJECT` |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — `destination.address`; service layer — `destination.port`, `network.protocol.name` ("Top Rejected Ports", "Rejected Traffic by Protocol") |
+
+**Not in dashboard KEEP:** `aws.vpc.flow.reject_reason`, `aws.vpc.flow.destination.service` — may exist on ingested OTel documents (format v5+) but absent from panel field lists.
+
+### Pattern 3: Per-interface disposition
+
+**Log type:** `data_stream.dataset == "aws.vpcflow.otel"` · **Evidence:** `packages/aws_vpcflow_otel/_dev/shared/kibana/interface.yaml` (Tier B — Interface Traffic Analysis, L159–160; Traffic by Cloud Account L279–281)
+
+```
+host (source.address) → aws.vpc.flow.action → host (destination.address) · scope: network.interface.name (ENI)
+```
+
+**Read-aloud:** “Source host allowed or denied traffic to a destination peer, observed on a specific ENI.” ENI is **scope**, not the flow peer target.
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — `source.address` (per-interface source/destination IP stats L87–102) |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | flow accepted / flow rejected |
+| source_field | `aws.vpc.flow.action` |
+| source_value | `ACCEPT`, `REJECT` (`EVAL is_accepted` / `is_rejected` panels L280–281) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — `destination.address` |
+
+**Scope context (not actor/target):** `network.interface.name`, `cloud.account.id`.
+
+### Optional read-aloud check — sibling field layout only
+
+One **common-sense graph test** using disclosed tuple values from classic Agent ingest (same plain-text VPC flow line; OTel would index `aws.vpc.flow.action` instead of `event.action` / `aws.vpcflow.action`). **Not collected by `aws_vpcflow_otel`.**
+
+**Evidence:** `packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json` (last event; sibling Tier A, stand-in for OTel path)
+
+**Read-aloud:** “Host 172.31.16.139 had traffic rejected to host 89.160.20.156 over ICMP.” — coherent; source ≠ destination.
+
+| Node | Disclosed value | OTel-oriented field |
+| --- | --- | --- |
+| Actor ip | `172.31.16.139` | `source.address` |
+| Action | `REJECT` | `aws.vpc.flow.action` (not `event.action`) |
+| Target ip | `89.160.20.156` | `destination.address` |
+| Target protocol | `icmp` | `network.protocol.name` |
+
+## ES|QL Entity Extraction
+
+**Package type: assets-with-sibling (dashboards-only).** Field paths inferred from bundled dashboard ES|QL (Tier B) and OTel `awslogsencodingextension` VPC flow mapping (package README / upstream docs). This package defines **no** ingest pipelines or test fixtures in-repo. Router: **`data_stream.dataset == "aws.vpcflow.otel"`** per `manifest.yml` discovery and all dashboard filters (`_dev/shared/kibana/*.yaml`, Kibana saved objects). Sibling **`packages/aws/data_stream/vpcflow/`** expected JSON may cite field **layout** only (e.g. `aws.vpcflow.pkt_dst_service` → OTel `aws.vpc.flow.destination.service`) — **sibling evidence**, not OTel-ingested documents.
+
+VPC flow logs are **network telemetry**: actor is the flow source endpoint (`source.address` / `source.port`); target is the destination peer (`destination.address`) or protocol/service layer (`network.protocol.name`, optional `aws.vpc.flow.destination.service`). No `user.*` identity. Pass 4 is **fill-gaps-only** — preserve existing `host.*`, `host.target.*`, `service.target.*`, and `event.action` when already populated. **Pass 4 (tautology + CASE syntax):** no `CASE(col, col, …)` identity fallbacks; actor/target/action columns use **column-level** `IS NOT NULL` preserve (not `CASE(actor_exists|target_exists|action_exists, <col>, …)`) so partial enrichment (e.g. `host.id` from `instance-id` or `host.target.ip` without `host.target.name`) does not block `source.address` / `destination.address` fallbacks. `source.address` / `destination.address` are excluded from `actor_exists` / `target_exists` so 5-tuple peers remain valid fallbacks. All `CASE` use odd-arity defaults or valid **3-arg** forms — never **4-arg** `CASE(flag, col, bare_field, null)`.
+
+### Dataset inventory
+
+| Router (`data_stream.dataset`) | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `aws.vpcflow.otel` | network flow (ACCEPT/REJECT via `aws.vpc.flow.action`) | host | host, service | partial — Tier B |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.ip` | `host.ip` | `host.ip IS NOT NULL` | medium | **preserve existing** — column-level |
+| `host.ip` | `source.address` | `data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL` | medium | **vendor fallback** — Tier B; `source.address` not in `actor_exists` |
+| `host.name` | `host.name` | `host.name IS NOT NULL` | low | **preserve existing** — column-level |
+| `host.name` | `source.address` | `data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL` | low | **vendor fallback** — IP-as-label; independent of `host.ip` / `host.id` |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.ip` | `host.target.ip` | `host.target.ip IS NOT NULL` | medium | **preserve existing** — column-level |
+| `host.target.ip` | `destination.address` | `data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL` | medium | **vendor fallback** — Tier B (`traffic.yaml` L328–395); `destination.address` not in `target_exists` |
+| `host.target.name` | `host.target.name` | `host.target.name IS NOT NULL` | low | **preserve existing** — column-level |
+| `host.target.name` | `destination.address` | `data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL` | low | **vendor fallback** — network peer IP label; independent of `host.target.ip` |
+| `service.target.name` | `service.target.name` | `service.target.name IS NOT NULL` | medium | **preserve existing** — column-level |
+| `service.target.name` | `aws.vpc.flow.destination.service` | `data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL` | medium | **vendor fallback** — **sibling evidence** only |
+| `service.target.name` | `network.protocol.name` | `data_stream.dataset == "aws.vpcflow.otel" AND network.protocol.name IS NOT NULL` | low | **vendor fallback** — protocol Tier B |
+| `entity.target.type` | `entity.target.type` | `entity.target.type IS NOT NULL` | low | **preserve existing** — column-level |
+| `entity.target.type` | literal `"service"` / `"host"` | per guards below | low | **fallback** classification helper only |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `event.action IS NOT NULL` | medium | **preserve existing** — column-level (not `action_exists` in `CASE`) |
+| `event.action` | `aws.vpc.flow.action` | `data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.action IS NOT NULL` | medium | **vendor fallback** — OTel path omits `event.action` (Pass 2) |
+
+Omit `user.*`, `entity.*` actor columns, and well-known-port **semantic literals** (no indexed service name in Tier B dashboards).
+
+### Detection flags (mandatory — run first)
+
+Network-only integration: `actor_exists` / `target_exists` omit `user.*` / `user.target.*` (no identity fields on this dataset). **`source.address` / `destination.address` are intentionally excluded** from the flags so flow 5-tuple peers can populate `host.ip` / `host.target.*` when ECS columns are empty. Mapped actor/target/action columns use **column-level** `IS NOT NULL` preserve in subsequent `EVAL` blocks (not flag-wide `CASE(actor_exists|target_exists|action_exists, col, …)`).
+
+```esql
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` / `target_exists` document whether any ECS identity column is already set (e.g. downstream enrichment). Per-column `CASE(host.ip IS NOT NULL, host.ip, …)` applies fallbacks when that output column is empty even if `host.id` or another actor column is populated.
+
+### Optional classification helpers (when needed)
+
+Set `entity.target.type` in the **fallback** branch only (correct ECS name — not `target.entity.type`):
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL, "service",
+    data_stream.dataset == "aws.vpcflow.otel", "host",
+    null
+  )
+```
+
+Do not use `destination.port IN (22, 443, 80)` without package fixture proof — heuristic omitted.
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.name = CASE(
+    host.name IS NOT NULL, host.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.action IS NOT NULL, aws.vpc.flow.action,
+    null
+  )
+```
+
+Filters and dashboards may still prefer **`aws.vpc.flow.action`** for ACCEPT/REJECT panels; this block only normalizes `event.action` when empty.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL, aws.vpc.flow.destination.service,
+    data_stream.dataset == "aws.vpcflow.otel" AND network.protocol.name IS NOT NULL, network.protocol.name,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+Unscoped `FROM logs-*` — dataset routing in `CASE` fallback branches only (no `WHERE data_stream.dataset`):
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.name = CASE(
+    host.name IS NOT NULL, host.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.action IS NOT NULL, aws.vpc.flow.action,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL, aws.vpc.flow.destination.service,
+    data_stream.dataset == "aws.vpcflow.otel" AND network.protocol.name IS NOT NULL, network.protocol.name,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, aws.vpc.flow.action, event.action, source.address, destination.address, destination.port, network.protocol.name, host.ip, host.name, host.target.ip, host.target.name, service.target.name
+```
+
+### Streams excluded
+
+- None — single OTel flow dataset (`aws.vpcflow.otel`) only; classic Agent **`aws.vpcflow`** is a different `data_stream.dataset` (out of scope for this package router).
+
+### Gaps and limitations
+
+- **No package fixtures** — mappings are Tier B (dashboard ES|QL) plus OTel encoding docs; confidence capped at medium/low for vendor service fields.
+- **`event.outcome` / `event.type`** — not set on OTel path; classic `aws.vpcflow` pipeline derives these from action (`packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml` L122–137); omit from Pass 4 or add downstream ingest.
+- **`aws.vpc.flow.destination.service`** — **sibling evidence** (`test-v5-all-fields.log-expected.json` `pkt_dst_service`); not referenced in bundled dashboard ES|QL; validate in customer indices before relying on `service.target.name` fallback branch.
+- **Well-known port → service name** (e.g. `:443` → HTTPS) — not indexed; no semantic literals in `CASE`.
+- **`network.interface.name`** — ENI observation point / dashboard filter; not actor or remote target (Pass 3 scope context).
+- **`destination.*` is network peer context** — mapped to `host.target.*` for cross-integration query normalization only; ingest does not populate official ECS `*.target.*` on this path (`target_enhancement_packages.csv` = none).
+- **`host.id`** — OTel may set from `instance-id`; not used in dashboards; preserved when present — does not block `host.ip` / `host.name` fallbacks from `source.address` (column-level preserve).
+- **Pass 4 tautology cleanup** — no `CASE(col, col, …)` branches; `source.address` / `destination.address` excluded from detection flags; actor/target/action `EVAL` uses per-column `IS NOT NULL` preserve (not `CASE(actor_exists|target_exists|action_exists, <col>, …)`).
+- **Pass 4 CASE syntax (§10)** — all mapped `CASE` use odd-arity defaults (`null`) or valid **3-arg** preserve/fallback; never **4-arg** `CASE(flag, col, bare_field, null)` (bare field parses as a condition). `event.action` preserve is `event.action IS NOT NULL`, not `action_exists`. Full pipeline fragment aligned with combined `EVAL` blocks.
+- **Classic parity** — For full `event.action` / `event.outcome` / `event.type` at ingest, use Agent `aws.vpcflow` pipeline or downstream processors on `aws.vpcflow.otel` indices.
diff --git a/dev/domain/p1/azure_ai_foundry.md b/dev/domain/p1/azure_ai_foundry.md
new file mode 100644
index 00000000000..b10ca4b97fe
--- /dev/null
+++ b/dev/domain/p1/azure_ai_foundry.md
@@ -0,0 +1,506 @@
+# azure_ai_foundry
+
+## Product Domain (Azure AI Foundry)
+
+Microsoft Azure AI Foundry (also branded Microsoft Foundry) is a unified Azure platform for building, deploying, and managing generative AI applications and model endpoints. Organizations use it to host foundation models (OpenAI and third-party), run chat and completion APIs, manage model deployments, and apply Azure-native guardrails such as content filtering, custom blocklists, jailbreak detection, and protected-material checks. Foundry resources are provisioned as Azure Cognitive Services accounts and can be exposed directly or fronted by Azure API Management (APIM) for policy enforcement, throttling, and advanced gateway logging.
+
+The platform generates operational telemetry at two levels. Native diagnostic logging covers audit activity (administrative and key-management operations) and request/response metadata for model API calls—operation name, duration, model deployment, caller IP, and outcome—without full prompt and completion bodies by default. When APIM sits in front of Foundry deployments, gateway logs add richer HTTP-level detail, including backend request and response payloads, token usage, cache behavior, TLS metadata, and content-filter results across safety categories (hate, violence, sexual, self-harm, profanity, jailbreak, ungrounded material, and protected material).
+
+From a security and observability perspective, Foundry is a critical control point for AI workload governance. Security and platform teams monitor who invokes models, which deployments are used, whether requests succeed or fail, how content filters act on prompts and completions, and how provisioned capacity is consumed. The Elastic integration ingests Foundry logs via Azure Event Hub and cognitive-service metrics via Azure Monitor, normalizing events into ECS-aligned fields for SIEM correlation, AI usage analytics, latency and availability alerting, and audit review.
+
+## Data Collected (brief)
+
+- **Logs** (`azure.ai_foundry`): Streamed from Azure Event Hub via the `azure-eventhub` input; supports agent-based deployment only.
+- **Audit** (`category: Audit`): Administrative and resource operations (e.g., key listing), including asset identity, object ID, operation name, tenant/region, and Azure resource ID.
+- **RequestResponse** (`category: RequestResponse`): Native model API call telemetry—operation (e.g., chat completions), duration, caller IP, correlation ID, model name/version/deployment, stream type, request/response sizes, and HTTP result signature.
+- **ApiManagementGatewayLogs** (`category: GatewayLogs`): APIM gateway events with full HTTP context—client and backend URLs/methods, request/response bodies (prompts and completions), token counts, latency, cache status, TLS details, and content-filter outcomes (severity, filtered/detected flags, custom blocklists, jailbreak, profanity, protected material).
+- **Metrics** (`azure.ai_foundry`): Collected from Azure Monitor (`Microsoft.CognitiveServices/accounts`) on a 5-minute period; supports agent-based and agentless deployment.
+- **Usage and performance**: Model request counts; input, output, and total token totals; latency (time to first byte, time to last byte, time to response, tokens per second); model availability rate; provisioned utilization percentage.
+- **Dimensions and resource context**: Model name, version, deployment name, API name, region; Azure subscription, resource group, resource ID, and namespace.
+
+## Expected Audit Log Entities
+
+Foundry telemetry spans one **logs** data stream (`azure.ai_foundry`, three Azure diagnostic categories) and one **metrics** data stream (`azure.ai_foundry`, Azure Monitor aggregates). **`Audit`** is true administrative audit (key management, resource operations). **`RequestResponse`** and **`GatewayLogs`** are audit-adjacent API telemetry — native Foundry call metadata and APIM gateway HTTP logs with full request/response bodies. **`Metrics`** are time-bucketed usage and performance gauges with no per-request principal. The logs pipeline maps GatewayLogs `caller_ip_address` → `source.ip` (with geo/ASN) and subscription → `cloud.account.id`, but does not populate ECS `user.*`, `*.target.*`, `related.*`, `destination.*`, or `gen_ai.*`. No ECS `*.target.*` fields are mapped today (`target_fields_audit.csv` has no `azure_ai_foundry` row; `target_enhancement_packages.csv` classifies actor/target enhancement as **`none`**). No `destination.user.*` / `destination.host.*` usage (`destination_identity_hits.csv` has no `azure_ai_foundry` row). **`event.action` is absent** in all log and metrics fixtures and no ingest pipeline maps to it (grep across `packages/azure_ai_foundry` returns no `event.action` references). Vendor operation fields (`azure.ai_foundry.operation_name`, `properties.operation_id`) hold the action verb but remain vendor-only. Evidence is from `data_stream/logs/_dev/test/pipeline/*-expected.json`, `data_stream/logs/sample_event.json`, `data_stream/logs/fields/fields.yml`, `data_stream/logs/elasticsearch/ingest_pipeline/default.yml`, `data_stream/logs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml`, `data_stream/metrics/_dev/test/pipeline/test-aifoundry.json-expected.json`, `data_stream/metrics/sample_event.json`, and `data_stream/metrics/fields/fields.yml`.
+
+### Event action (semantic)
+
+Each log category records a distinct operation or activity. **`Audit`** and **`RequestResponse`** expose the action at top-level `azure.ai_foundry.operation_name`. **`GatewayLogs`** use `properties.operation_id` for the Foundry/APIM API method (e.g. `ChatCompletions_Create`); the top-level `operation_name` (`Microsoft.ApiManagement/GatewayLogs`) is the Azure diagnostic envelope, not the API verb. **`Metrics`** are pre-aggregated Azure Monitor gauges with **no meaningful per-event action** (classification rule 10).
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `ListKey` | administration | high | `test-ai-foundry-audit.log-expected.json`: `operation_name: ListKey` | **`Audit`** — key-management admin operation against the cognitive account |
+| `Create_Thread` | api_call | high | `test-ai-foundry-request-response.log-expected.json`: `operation_name: Create_Thread` | **`RequestResponse`** — Assistants thread creation |
+| `ChatCompletions_Create` | api_call | high | RequestResponse fixture (`operation_name: ChatCompletions_Create`); GatewayLogs fixture (`properties.operation_id: ChatCompletions_Create`) | **`RequestResponse`**, **`GatewayLogs`** — chat completion API invocation |
+| `getChatCompletions` | api_call | high | `test-ai-foundry-gateway.log-expected.json`: `properties.operation_id: getChatCompletions` | **`GatewayLogs`** — alternate APIM operation naming for chat completions |
+| `Microsoft.ApiManagement/GatewayLogs` | api_call | partial | GatewayLogs top-level `operation_name` in all gateway fixtures and `sample_event.json` | **`GatewayLogs`** — Azure diagnostic category name, not the invoked Foundry API method; use `properties.operation_id` instead for `event.action` |
+| `ShoeboxCallResult` | api_call | partial | RequestResponse: `azure.ai_foundry.event: ShoeboxCallResult` in fixtures | **`RequestResponse`** — Azure internal event type for native call telemetry; less specific than `operation_name` |
+| (none — metric aggregates) | — | high | `metrics/sample_event.json`, `test-aifoundry.json-expected.json` — token/latency counters only | **`Metrics`** — no per-request verb; dimensions describe aggregation slice |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `azure.ai_foundry.operation_name` | no | n/a | `ListKey`, `Create_Thread`, `ChatCompletions_Create` | yes | Audit and RequestResponse fixtures; `fields.yml` L16–18 ("The log action performed"); pipeline retains vendor-only after snake_case script — no rename to `event.action` |
+| `azure.ai_foundry.properties.operation_id` | no | n/a | `ChatCompletions_Create`, `getChatCompletions` | yes | GatewayLogs fixtures (`test-ai-foundry-gateway.log-expected.json`); primary API action on APIM-fronted calls |
+| `http.request.method` + `url.path` | no | partial | `POST` + `/deployments/gpt-chat-pilot/chat/completions` | partial | GatewayLogs: `properties.method` → `http.request.method` (`default.yml` L268–271); `uri_parts` on `properties.url` (`default.yml` L276–289); alternate when `operation_id` absent |
+| `azure.ai_foundry.event` | no | n/a | `ShoeboxCallResult` | partial | RequestResponse fixtures only; Azure envelope type, not the API method |
+| `event.action` | no | n/a | — | yes | Not set in any pipeline or fixture |
+| `event.outcome` | yes | yes | `success`, `failure` | no | `result_type` → `event.outcome` on GatewayLogs (`default.yml` L165–172); records outcome, not action |
+| `event.type` / `event.category` | no | n/a | — | no | Not set; would not substitute for `event.action` without a vendor action source |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| Logs — Audit | no | no | `azure.ai_foundry.operation_name` → `ListKey` | high | `test-ai-foundry-audit.log-expected.json`; no `event.action` in `event` block |
+| Logs — RequestResponse | no | no | `azure.ai_foundry.operation_name` → `Create_Thread`, `ChatCompletions_Create` | high | `test-ai-foundry-request-response.log-expected.json`; alternate `azure.ai_foundry.event: ShoeboxCallResult` |
+| Logs — GatewayLogs | no | no | `azure.ai_foundry.properties.operation_id` → `ChatCompletions_Create`, `getChatCompletions` | high | `test-ai-foundry-gateway.log-expected.json`, `sample_event.json`; do **not** use top-level `operation_name: Microsoft.ApiManagement/GatewayLogs` |
+| Metrics | no | no | — (no per-event action) | high | `test-aifoundry.json-expected.json`; `event` block has `dataset`/`module` only; 5-minute Azure Monitor aggregates |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Entra ID principal (object ID) | user | — | high | `azure.ai_foundry.properties.object_id` on Audit `ListKey` (`test-ai-foundry-audit.log-expected.json`); field defined in `fields.yml` | **`Audit`** — administrative actor for key-management and resource operations; not mapped to ECS `user.id` |
+| Asset identity | general | identity | moderate | `azure.ai_foundry.asset_identity` on Audit sample (`07628fea-67bb-424d-b160-fdc46c82d0b4`); `fields.yml` | **`Audit`** — Azure asset identity key; supplementary to object ID |
+| API client (IP address) | host | — | high | GatewayLogs: `caller_ip_address` → `source.ip` with `source.geo` / `source.as` (`default.yml` L121–164; `test-ai-foundry-gateway.log-expected.json`, `sample_event.json`) | **`GatewayLogs`** — full client IP; best actor signal for model API calls |
+| API client (masked IP) | host | — | moderate | RequestResponse: `azure.ai_foundry.caller_ip_address` (last octet masked, e.g. `81.2.69.***`); pipeline intentionally does **not** copy to `source.ip` (`default.yml` L120–121 comment) | **`RequestResponse`** — caller network context only; no geo enrichment |
+| Client TLS context | general | tls_client | moderate | `azure.ai_foundry.properties.client_tls_version`, `client_tls_cipher_suite`, `client_protocol` (`fields.yml`; gateway fixtures) | **`GatewayLogs`** — transport fingerprint for the calling client; not a distinct ECS entity |
+| Integration collector | service | — | low | Elastic Agent Event Hub consumer / Metricbeat Azure Monitor poller; credentials in stream config, not indexed | Implicit; not represented on events |
+
+**No actor identity in samples:** **`RequestResponse`** — `properties.object_id` is empty in fixtures; no user name, API key ID, or Entra UPN. **`Metrics`** — time-bucketed resource metrics only; no caller or user dimensions. **`GatewayLogs`** `backend_request_body.messages[].role: user` is chat turn role, not a security principal.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `azure.ai_foundry.properties.object_id` | Entra ID administrative principal | no | n/a | high | Audit `ListKey` fixture (`b610ab05-ce06-4cc1-a6dd-174b9f80468a`); `fields.yml`; pipeline retains vendor-only — no rename to `user.id` |
+| `azure.ai_foundry.asset_identity` | Azure asset identity key | no | n/a | moderate | Audit fixture; supplementary actor context alongside object ID |
+| `source.ip` | API client IP (GatewayLogs) | yes | yes | high | `caller_ip_address` → `source.ip` when `category == 'GatewayLogs'` (`default.yml` L121–127); geo/ASN enrichment L144–164; fixture `89.160.20.156` |
+| `source.geo.*` / `source.as.*` | Client network enrichment | yes | yes | high | GeoIP/ASN processors on `source.ip` (`default.yml` L144–164); populated in gateway fixtures |
+| `azure.ai_foundry.caller_ip_address` | Masked client IP (RequestResponse) | no | n/a | moderate | RequestResponse fixtures (`81.2.69.***`); intentionally not promoted to `source.ip` per pipeline comment |
+| `azure.ai_foundry.properties.client_tls_version` / `.client_tls_cipher_suite` / `.client_protocol` | Client transport fingerprint | no | n/a | moderate | GatewayLogs `fields.yml` and fixtures; vendor-only |
+| `user.id` / `user.*` | Actor identity | no | n/a | — | Not set in any pipeline or fixture despite Audit `object_id` availability |
+| `client.user.*` | Caller principal | no | n/a | — | Not used |
+| `related.user` | Actor cross-reference | no | n/a | — | Not used |
+| `destination.user.*` / `destination.host.*` | De-facto target identity | no | n/a | — | Not used (`destination_identity_hits.csv` has no `azure_ai_foundry` row) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Azure AI Foundry / Cognitive Services platform | Microsoft Cognitive Services (Foundry) | service | — | high | `azure.resource.provider: microsoft.cognitiveservices/accounts`; `properties.api_name` (e.g. `Azure AI FOUNDRY API version 2024-02-15-preview`); no `cloud.service.name` set | **`Audit`**, **`RequestResponse`** — invoked Foundry platform on the cognitive account |
+| 1 — Platform / cloud service | APIM gateway fronting Foundry | Azure API Management | service | — | high | GatewayLogs `azure.resource.id` → `microsoft.apimanagement/service/...`; `operation_name: Microsoft.ApiManagement/GatewayLogs` | **`GatewayLogs`** — distinct gateway service resource from the cognitive account |
+| 2 — Resource / object | Cognitive Services (Foundry) account | Foundry account resource | service | — | high | `azure.resource.id/name/group/provider`, `cloud.account.id` ← subscription (`azure-shared-pipeline.yml` grok L10–23); Audit and RequestResponse fixtures | **`Audit`**, **`RequestResponse`**, **`Metrics`** — managed account acted upon or monitored |
+| 2 — Resource / object | Model deployment endpoint | Named model deployment | service | — | high | `properties.model_deployment_name`, `model_name`, `model_version`; gateway `backend_url` path `/deployments/{name}/...`; `backend_request_body.model` (e.g. `gpt-chat-pilot`, `gpt-35-turbo`) | **`RequestResponse`**, **`GatewayLogs`**, **`Metrics`** (dimension) — consumed deployment |
+| 2 — Resource / object | APIM API definition | Gateway-routed API surface | general | api | high | `properties.api_id`, `api_revision` (e.g. `azure-ai-foundry-apim-api`); client `url.*` from `uri_parts` on gateway URL (`default.yml` L276–289) | **`GatewayLogs`** — APIM API revision invoked by the client |
+| 2 — Resource / object | Foundry API operation | API/admin action name | general | api_method | high | `azure.ai_foundry.operation_name` / `properties.operation_id` (e.g. `ChatCompletions_Create`, `Create_Thread`, `ListKey`) | All log categories — names the operation, not a host |
+| 2 — Resource / object | Model deployment (metric dimension) | Aggregated deployment slice | service | — | high | `azure.dimensions.model_deployment_name`, `model_name`, `model_version`, `api_name`, `region` (`metrics/sample_event.json`, `metrics/fields/fields.yml`) | **`Metrics`** — aggregation dimension for token/latency counters; not per-request target |
+| 3 — Content / artifact | Chat completion instance | Per-response completion ID | general | ai_completion | moderate | `properties.backend_response_body.id` (e.g. `chatcmpl-9gRL14hGa8nQstOJKvLjh7EyulsnT`); `operation_name: Create_Thread` on RequestResponse | **`GatewayLogs`**, **`RequestResponse`** — auditable per-call identifier when present |
+| 3 — Content / artifact | Prompt and completion content | Request/response bodies | general | ai_content | high | `properties.backend_request_body.messages[].content`, `backend_response_body.choices[].message.content`; token counts under `backend_response_body.usage.*` | **`GatewayLogs`** — full prompt/completion text retained vendor-side; not ECS-mapped |
+| 3 — Content / artifact | Content-filter / blocklist outcome | Safety policy evaluation | general | policy | moderate | `backend_response_body.choices.content_filter_results.*`, `prompt_filter_results.*`, `error.innererror.content_filter_result.*` (`fields.yml`; gateway fixtures) | **`GatewayLogs`** — policy outcomes on prompt/response content |
+| 3 — Content / artifact | Time-bucket usage aggregate | Metric period counters | general | usage_bucket | high | `@timestamp`, `azure.timegrain`, `azure.ai_foundry.*.total` / `*.avg` (tokens, requests, latency, utilization) | **`Metrics`** — pre-aggregated over configurable period; not per-request audit targets |
+
+**No meaningful audit target in metrics:** Individual prompts, completions, users, or API keys — metrics expose counts and latency percentiles only, not content or principal IDs. Per classification rule 10, model-deployment dimensions on metrics are **aggregation targets**, not per-request audit targets.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `azure.resource.id` / `.name` / `.group` / `.provider` | 2 | service | yes | yes | `cloud.resource.id` / context-only | partial | `resourceId` rename (`default.yml` L18–20); grok in `azure-shared-pipeline.yml` L10–19; cognitive account or APIM service depending on category |
+| `cloud.account.id` | — | — | yes | yes | context-only | no | `azure.subscription_id` → `cloud.account.id` (`azure-shared-pipeline.yml` L21–23); Audit and RequestResponse fixtures |
+| `cloud.provider` | — | — | yes | yes | context-only | no | Static `azure` (`azure-shared-pipeline.yml` L4–6) |
+| `cloud.service.name` | 1 | service | no | n/a | `service.target.name` | yes | Not set; static `azure_ai_foundry` or `Microsoft.CognitiveServices` would identify invoked platform |
+| `azure.ai_foundry.properties.model_deployment_name` | 2 | service | no | n/a | `gen_ai.request.model.name` / `service.target.entity.id` | yes | RequestResponse and GatewayLogs fixtures (`gpt-chat-pilot`); `fields.yml`; canonical deployment target |
+| `azure.ai_foundry.properties.model_name` / `.model_version` | 2 | service | no | n/a | `gen_ai.request.model.id` / `.version` | yes | RequestResponse fixture (`gpt-35-turbo`, `0301`); gateway `backend_response_body.model` |
+| `azure.ai_foundry.properties.backend_url` | 2 | service | no | n/a | `url.full` / context-only | partial | GatewayLogs fixture — backend Foundry deployment URL; identifies target endpoint, not mapped to ECS |
+| `azure.ai_foundry.properties.api_id` / `.api_revision` | 2 | general (api) | no | n/a | `service.target.entity.id` | yes | GatewayLogs fixtures (`azure-ai-foundry-apim-api`, revision `1`) |
+| `azure.ai_foundry.operation_name` / `.properties.operation_id` | 2 | general (api_method) | no | n/a | `event.action` | yes | All categories (e.g. `ChatCompletions_Create`, `ListKey`); not promoted to `event.action` |
+| `url.domain` / `url.path` / `url.original` | 2 | general (api) | yes | yes | context-only | no | `uri_parts` on gateway client URL (`default.yml` L276–289); APIM client-facing endpoint |
+| `azure.ai_foundry.properties.backend_response_body.id` | 3 | general (ai_completion) | no | n/a | `gen_ai.response.id` | yes | Gateway fixture `chatcmpl-9gRL14hGa8nQstOJKvLjh7EyulsnT` |
+| `azure.ai_foundry.properties.backend_request_body.messages[].content` | 3 | general (ai_content) | no | n/a | `gen_ai.prompt` | yes | Gateway fixtures; prompt text retained vendor-side |
+| `azure.ai_foundry.properties.backend_response_body.choices[].message.content` | 3 | general (ai_content) | no | n/a | `gen_ai.completion` | yes | Gateway fixtures; completion text retained vendor-side |
+| `azure.ai_foundry.properties.backend_response_body.usage.*` | 3 | general (usage_bucket) | no | n/a | `gen_ai.usage.*` | yes | Token counters in gateway fixtures; pipeline renames `prompt_tokens`/`completion_tokens` → `input_tokens`/`output_tokens` (`default.yml` L187–194) but stays vendor-namespaced |
+| `azure.dimensions.model_deployment_name` / `.model_name` / `.model_version` | 2 | service | no | n/a | context-only | no | Metrics sample; aggregation dimension, not per-request entity |
+| `azure.ai_foundry.*.total` / `*.avg` (metrics) | 3 | general (usage_bucket) | no | n/a | context-only | no | Token, latency, availability, utilization counters in `metrics/sample_event.json` |
+| `user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` | — | — | no | n/a | — | no | Not populated (`target_enhancement_packages.csv`: all `has_*_target` false) |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+| `gen_ai.*` | 2–3 | service / general | no | n/a | `gen_ai.*` | yes | No Gen AI ECS fields set despite rich model, prompt, completion, and token data in GatewayLogs |
+
+### Gaps and mapping notes
+
+- **`event.action` not mapped:** `azure.ai_foundry.operation_name` (`ListKey`, `Create_Thread`, `ChatCompletions_Create`) and GatewayLogs `properties.operation_id` (`ChatCompletions_Create`, `getChatCompletions`) are the strongest action candidates but remain vendor-only. Recommended: copy category-appropriate field to `event.action` per stream (Audit/RequestResponse → `operation_name`; GatewayLogs → `properties.operation_id`).
+- **GatewayLogs envelope vs API verb:** Top-level `operation_name: Microsoft.ApiManagement/GatewayLogs` is the Azure diagnostic category, not the Foundry API method — do not use it as `event.action`.
+- **Audit actor not promoted:** `azure.ai_foundry.properties.object_id` holds the Entra principal on **`Audit`** events (e.g. `ListKey`) but is never copied to `user.id` or `related.user`. Best vendor source of truth for administrative actor identity.
+- **RequestResponse actor gap:** `properties.object_id` is empty in fixtures; only masked `caller_ip_address` remains (vendor-only, not `source.ip`). No API key ID, UPN, or service principal in schema or samples.
+- **GatewayLogs actor is network-only:** `source.ip` mapping is correct for client IP (`default.yml` L121–127) but there is no Entra or API-key caller identity even when APIM may have it upstream.
+- **Zero Gen AI ECS promotion:** GatewayLogs retain full prompts, completions, model IDs, token usage, and completion IDs under `azure.ai_foundry.properties.backend_*_body.*` but nothing maps to `gen_ai.prompt`, `gen_ai.completion`, `gen_ai.request.model.id`, or `gen_ai.usage.*`.
+- **Layer 1 platform gap:** `cloud.provider: azure` is set but `cloud.service.name` is absent. A static set (e.g. `azure_ai_foundry`) would identify the invoked SaaS platform per cloud/SaaS addendum.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, no pipeline maps acted-upon entities to `destination.user.*` or `destination.host.*`.
+- **No official ECS target fields:** Aligns with target-fields audit classification **`none`** — no `user.target.*`, `host.target.*`, or `service.target.*` today. Model deployment name, APIM API ID, and completion ID are the strongest enhancement candidates for `service.target.entity.id` / `gen_ai.*`.
+- **Chat role homonym:** `backend_request_body.messages[].role: user` is LLM message turn role, not the security principal who invoked the API.
+- **Metrics are aggregation-only:** Model deployment dimensions on metrics describe time-bucket slices, not individual API invocations or content artifacts; no per-event action applies.
+
+### Per-stream notes
+
+#### Logs — Audit (`category: Audit`)
+
+True administrative audit. **Action:** `ListKey` at `azure.ai_foundry.operation_name` — not mapped to `event.action`. Actor is the Entra **object ID** performing operations against the **Cognitive Services account** resource. `asset_identity` and `tenant`/`location` provide supplementary Azure context. No ECS user promotion.
+
+#### Logs — RequestResponse (`category: RequestResponse`)
+
+Native Foundry API telemetry without full bodies. **Action:** `Create_Thread`, `ChatCompletions_Create` at `azure.ai_foundry.operation_name` — not mapped to `event.action`. Actor is best interpreted as **host** (masked `caller_ip_address`, vendor-only). Target is the **model deployment** and **API operation** on the cognitive account. `correlation_id`, `duration_ms`, and `result_signature` support session correlation, not entity identity.
+
+#### Logs — GatewayLogs (`category: GatewayLogs`)
+
+APIM-fronted calls with full HTTP context. **Action:** `ChatCompletions_Create` or `getChatCompletions` at `properties.operation_id` — not mapped to `event.action`; top-level `operation_name: Microsoft.ApiManagement/GatewayLogs` is the diagnostic envelope only. Actor is **host** at `source.ip` (geo/ASN enriched). Targets span Layer 1 **APIM gateway**, Layer 2 **APIM API** and **backend Foundry deployment** (`backend_url`), and Layer 3 **AI completion** IDs plus prompt/completion content. Request/response bodies and content-filter results remain under `azure.ai_foundry.properties.*` — not ECS-mapped.
+
+#### Metrics (`azure.ai_foundry`)
+
+Azure Monitor gauges for model requests, tokens, latency, availability, and provisioned utilization. **No per-event action** — time-bucket aggregates only. Target is the **model deployment** dimension set on a **Cognitive Services account** within a time grain. No actor fields; aggregation dimensions only.
+
+## Example Event Graph
+
+The examples below come from the **`logs`** data stream (`azure.ai_foundry`) pipeline fixtures. **`Audit`** is true administrative audit; **`RequestResponse`** and **`GatewayLogs`** are audit-adjacent API telemetry. **`Metrics`** are time-bucketed aggregates with no per-event Actor → action → Target chain (see per-stream notes above).
+
+### Example 1: Administrative key listing
+
+**Stream:** `azure.ai_foundry` · **Fixture:** `packages/azure_ai_foundry/data_stream/logs/_dev/test/pipeline/test-ai-foundry-audit.log-expected.json`
+
+```
+Entra ID principal → ListKey → Cognitive Services (Foundry) account
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | b610ab05-ce06-4cc1-a6dd-174b9f80468a |
+| type | user |
+
+**Field sources:**
+- `id` ← `azure.ai_foundry.properties.object_id` (Entra ID object ID; not promoted to `user.id` today)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ListKey |
+| source_field | `azure.ai_foundry.operation_name` |
+| source_value | ListKey |
+
+`event.action` is absent in the fixture — action derived from vendor field; **not mapped to ECS today**.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | /subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/obs-aifoundry-service-rs/providers/microsoft.cognitiveservices/accounts/obs-aifoundry-test-01 |
+| name | obs-aifoundry-test-01 |
+| type | service |
+| sub_type | cognitive_account |
+
+**Field sources:**
+- `id` ← `azure.resource.id`
+- `name` ← `azure.resource.name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Entra ID b610ab05…"] --> E["ListKey"]
+  E --> T["Target: obs-aifoundry-test-01"]
+```
+
+### Example 2: Native chat completion call
+
+**Stream:** `azure.ai_foundry` · **Fixture:** `packages/azure_ai_foundry/data_stream/logs/_dev/test/pipeline/test-ai-foundry-request-response.log-expected.json` (second event)
+
+```
+API client (masked IP) → ChatCompletions_Create → gpt-chat-pilot deployment
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| ip | 81.2.69.*** |
+| type | host |
+
+**Field sources:**
+- `ip` ← `azure.ai_foundry.caller_ip_address` (masked; intentionally not copied to `source.ip`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ChatCompletions_Create |
+| source_field | `azure.ai_foundry.operation_name` |
+| source_value | ChatCompletions_Create |
+
+`event.action` is absent in the fixture — action derived from vendor field; **not mapped to ECS today**.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | gpt-chat-pilot |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `name` ← `azure.ai_foundry.properties.model_deployment_name`
+- Model identity also available at `azure.ai_foundry.properties.model_name` (`gpt-35-turbo`) and `.model_version` (`0301`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 81.2.69.***"] --> E["ChatCompletions_Create"]
+  E --> T["Target: gpt-chat-pilot"]
+```
+
+### Example 3: APIM gateway chat completion
+
+**Stream:** `azure.ai_foundry` · **Fixture:** `packages/azure_ai_foundry/data_stream/logs/_dev/test/pipeline/test-ai-foundry-gateway.log-expected.json` (first event)
+
+```
+API client (IP) → ChatCompletions_Create → gpt-chat-pilot deployment
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| ip | 89.160.20.156 |
+| type | host |
+| geo | Linköping, Sweden |
+
+**Field sources:**
+- `ip` ← `source.ip` (from `caller_ip_address` when `category == GatewayLogs`)
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ChatCompletions_Create |
+| source_field | `azure.ai_foundry.properties.operation_id` |
+| source_value | ChatCompletions_Create |
+
+`event.action` is absent in the fixture — action derived from vendor field; **not mapped to ECS today**. Do not use top-level `azure.ai_foundry.operation_name` (`Microsoft.ApiManagement/GatewayLogs`) — that is the Azure diagnostic envelope, not the API verb.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | gpt-chat-pilot |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `name` ← `azure.ai_foundry.properties.backend_request_body.model` and `azure.ai_foundry.properties.backend_url` path segment `/deployments/gpt-chat-pilot/...`
+- Per-call completion ID available at `azure.ai_foundry.properties.backend_response_body.id` (`chatcmpl-9gRL14hGa8nQstOJKvLjh7EyulsnT`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 89.160.20.156 (Linköping, SE)"] --> E["ChatCompletions_Create"]
+  E --> T["Target: gpt-chat-pilot"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (Event Hub logs + Azure Monitor metrics). Router: **`data_stream.dataset`** (`azure.ai_foundry` per `data_stream/metrics/manifest.yml` and metrics `sample_event.json`; logs dashboards filter the same value). Secondary discriminator: **`data_stream.type`** (`logs` vs `metrics`) and **`azure.ai_foundry.category`** on logs (Audit, RequestResponse, GatewayLogs). Pass 4 applies **fill-gaps-only** `EVAL`/`CASE` enrichment — no ingest pipeline changes. Logs categories **Audit**, **RequestResponse**, and **GatewayLogs** get actor/target/action fallbacks; metrics and runtime log categories are excluded. **Pass 4 (CASE syntax):** column-level `IS NOT NULL` preserve on all mapped outputs (including `event.action`); **`source.ip` excluded from `actor_exists`** so GatewayLogs client IP can promote to `host.ip`; no `CASE(col, col, …)` or `CASE(actor_exists|target_exists|action_exists, col, …)` on mapped columns — valid **3-arg** / **5-arg** / **7-arg** `CASE` only; `action_exists` is a query-time helper, not the first `CASE` branch on `event.action`.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `azure.ai_foundry` + `data_stream.type == "logs"` + category Audit | admin audit | user | service (cognitive account) | full |
+| `azure.ai_foundry` + `data_stream.type == "logs"` + category GatewayLogs | APIM API telemetry | host | service (model deployment) + general (completion id) | full |
+| `azure.ai_foundry` + `data_stream.type == "logs"` + category RequestResponse | native API telemetry | host | service (model deployment when present) | partial |
+| `azure.ai_foundry` + `data_stream.type == "logs"` + PlatformLogs / ConsoleLogs / AppLogs | runtime output | — | — | none |
+| `azure.ai_foundry` + `data_stream.type == "metrics"` | Azure Monitor aggregates | — | — | none |
+
+### Field mapping plan
+
+**Detection predicate (tuned):** `actor_exists` checks official actor ECS columns only — **`source.ip` is excluded** because GatewayLogs maps the API client to `source.ip`, not `host.ip` (`default.yml` L121–127). `service.*` is omitted from `actor_exists` — no indexed service actor in fixtures. `target_exists` checks official `*.target.*` columns only (not populated at ingest today). Mapped columns use **column-level** `IS NOT NULL` preserve (not blind `CASE(actor_exists|target_exists|action_exists, col, …)` when another sibling column can satisfy the flag while the mapped column stays empty).
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` | `data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs"` | high | **preserve existing** — column-level `user.id IS NOT NULL` |
+| `user.id` | `azure.ai_foundry.properties.object_id` | `… AND azure.ai_foundry.category == "Audit"` | high | **vendor fallback** — Entra principal (`test-ai-foundry-audit.log-expected.json`) |
+| `host.ip` | `host.ip` | `data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs"` | high | **preserve existing** — column-level `host.ip IS NOT NULL` |
+| `host.ip` | `source.ip` | `… AND azure.ai_foundry.category == "GatewayLogs"` | high | **vendor fallback** — client IP already on `source.ip` (`test-ai-foundry-gateway.log-expected.json`) |
+| `host.ip` | `azure.ai_foundry.caller_ip_address` | `… AND azure.ai_foundry.category == "RequestResponse"` | medium | **vendor fallback** — masked IP; not promoted to `source.ip` at ingest |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.id` | `service.target.id` | `data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs"` | high | **preserve existing** — column-level `service.target.id IS NOT NULL` |
+| `service.target.id` | `azure.resource.id` | `… AND azure.ai_foundry.category == "Audit"` | high | **vendor fallback** — cognitive account ARM id (Pass 3 Example 1) |
+| `service.target.id` | `azure.ai_foundry.properties.model_deployment_name` | `… AND azure.ai_foundry.category == "RequestResponse"` | high | **vendor fallback** — deployment name as id when ARM id absent |
+| `service.target.id` | `azure.ai_foundry.properties.backend_request_body.model` | `… AND azure.ai_foundry.category == "GatewayLogs"` | high | **vendor fallback** — backend deployment model (`test-ai-foundry-gateway.log-expected.json`) |
+| `service.target.name` | `service.target.name` | `data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs"` | high | **preserve existing** — column-level `service.target.name IS NOT NULL` |
+| `service.target.name` | `azure.resource.name` | `… AND azure.ai_foundry.category == "Audit"` | high | **vendor fallback** — account name (Pass 3 Example 1) |
+| `service.target.name` | `azure.ai_foundry.properties.model_deployment_name` | `… AND azure.ai_foundry.category == "RequestResponse"` | high | **vendor fallback** — e.g. `gpt-chat-pilot` (Pass 3 Example 2) |
+| `service.target.name` | `azure.ai_foundry.properties.backend_request_body.model` | `… AND azure.ai_foundry.category == "GatewayLogs"` | high | **vendor fallback** — when `model_deployment_name` absent on gateway events |
+| `entity.target.id` | `entity.target.id` | `data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs"` | high | **preserve existing** — column-level `entity.target.id IS NOT NULL` |
+| `entity.target.id` | `azure.ai_foundry.properties.backend_response_body.id` | `… AND azure.ai_foundry.category == "GatewayLogs"` | medium | **vendor fallback** — per-call completion id (`chatcmpl-…`) |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs"` | high | **preserve existing** — column-level `event.action IS NOT NULL` (not `CASE(action_exists, …)`) |
+| `event.action` | `azure.ai_foundry.operation_name` | `… AND azure.ai_foundry.category == "Audit"` | high | **vendor fallback** — e.g. `ListKey`; do not use on GatewayLogs |
+| `event.action` | `azure.ai_foundry.operation_name` | `… AND azure.ai_foundry.category == "RequestResponse"` | high | **vendor fallback** — e.g. `ChatCompletions_Create`, `Create_Thread` |
+| `event.action` | `azure.ai_foundry.properties.operation_id` | `… AND azure.ai_foundry.category == "GatewayLogs"` | high | **vendor fallback** — e.g. `ChatCompletions_Create`; not top-level `operation_name` envelope |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `source.ip` is intentionally **not** in `actor_exists` so GatewayLogs documents with only `source.ip` still receive `host.ip` ← `source.ip`. `actor_exists` / `target_exists` / `action_exists` are query-time helpers only — mapped columns use column-level `CASE(<col> IS NOT NULL, <col>, …)` (not `CASE(actor_exists|target_exists|action_exists, <col>, …)`).
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.ai_foundry.properties.object_id,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", source.ip,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.caller_ip_address,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.operation_id,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.resource.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_request_body.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.resource.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_request_body.model,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_response_body.id,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.ai_foundry.properties.object_id,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", source.ip,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.caller_ip_address,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.operation_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.operation_id,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.resource.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_request_body.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "Audit", azure.resource.name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "RequestResponse", azure.ai_foundry.properties.model_deployment_name,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_request_body.model,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "azure.ai_foundry" AND data_stream.type == "logs" AND azure.ai_foundry.category == "GatewayLogs", azure.ai_foundry.properties.backend_response_body.id,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, data_stream.type, azure.ai_foundry.category, event.action, user.id, host.ip, service.target.id, service.target.name, entity.target.id
+```
+
+### Streams excluded
+
+- **`azure.ai_foundry` + `data_stream.type == "metrics"`** — 5-minute Azure Monitor aggregates (`metrics/sample_event.json`); no per-request actor, target, or action.
+- **PlatformLogs, ConsoleLogs, AppLogs** — runtime/stamp output without security-principal semantics (per Pass 2 per-stream notes).
+
+### Gaps and limitations
+
+- **`user.name` / `user.email` / `user.domain` omitted** — Audit fixtures expose `object_id` only; no UPN or email in package evidence.
+- **`host.target.*` / `user.target.*` omitted** — no de-facto `destination.*` or official ECS target fields at ingest (`target_enhancement_packages.csv`: none).
+- **`gen_ai.*` omitted** — prompt/completion/model usage remain vendor-only under `azure.ai_foundry.properties.backend_*_body.*` despite Pass 2 enhancement candidates.
+- **`service.target.type` / `entity.target.sub_type` omitted** — stream/category routing is sufficient; Pass 3 sub_types (`cognitive_account`, `foundation_model`) are illustrative only.
+- **RequestResponse `Create_Thread`** — no `model_deployment_name` in first fixture event; `service.target.*` fallbacks null until deployment fields present.
+- **RequestResponse `properties.object_id` empty** in fixtures — actor is masked `caller_ip_address` only.
+- **GatewayLogs top-level `operation_name: Microsoft.ApiManagement/GatewayLogs`** — diagnostic envelope; excluded from `event.action` fallback (use `properties.operation_id`).
+- **`cloud.service.name` / Layer-1 platform literal omitted** — not indexed; static platform target would be low-confidence without ingest change.
+- **Aligns with Pass 2 `Mapping correct?` = n/a** rows — vendor fields used only in ES|QL fallback branches, not ingest renames.
+- **Pass 4 CASE syntax (§10)** — no `CASE(col, col, …)` identity fallbacks; `source.ip` excluded from `actor_exists`; actor/target/action `EVAL` use column-level `CASE(<col> IS NOT NULL, <col>, …)` (5+ args with dataset/category guards) — not `CASE(actor_exists|target_exists|action_exists, <col>, …)`; `event.action` preserve is `event.action IS NOT NULL`, not `action_exists`. Never 4-arg `CASE(flag, col, bare_field, null)` (bare field parses as a condition).
diff --git a/dev/domain/p1/azure_app_service.md b/dev/domain/p1/azure_app_service.md
new file mode 100644
index 00000000000..95275da9308
--- /dev/null
+++ b/dev/domain/p1/azure_app_service.md
@@ -0,0 +1,558 @@
+# azure_app_service
+
+## Product Domain (Azure App Service PaaS)
+
+Azure App Service is a fully managed Platform-as-a-Service (PaaS) offering for hosting web applications, REST APIs, and mobile backends without managing underlying infrastructure. Teams deploy code or containers to App Service plans that run on Windows or Linux, with built-in scaling, deployment slots, custom domains, TLS, and integration with Azure Monitor and Diagnostic Settings. The platform supports multiple runtimes (.NET, Java, Node.js, Python, PHP, Ruby, and custom containers) and is commonly used for customer-facing web apps, internal APIs, and microservices fronted by Azure Front Door or Application Gateway.
+
+Operational and security visibility for App Service relies on diagnostic log categories exported from each web app or function app. These logs capture HTTP request traffic, publishing and deployment activity, platform health events, application stdout/stderr, custom application logging, and IPsec/VNet access audits. Organizations route this telemetry through Azure Event Hubs (often via Diagnostic Settings) for centralized ingestion into a SIEM or observability stack.
+
+The Elastic **Azure App Service** integration consumes those diagnostic logs from Event Hub using the Elastic Agent `azure-eventhub` input. Ingest pipelines parse JSON payloads by log category, map HTTP and audit fields into ECS-aligned documents, enrich events with Azure resource metadata (subscription, resource group, resource ID), and support Kibana dashboards for monitoring application health, traffic patterns, and security-relevant publishing or network access activity.
+
+## Data Collected (brief)
+
+Logs only (no metrics). One data stream:
+
+| Data stream | Description |
+|---|---|
+| **app_service_logs** | Azure App Service diagnostic logs ingested via Event Hub |
+
+Log categories handled by category-specific ingest pipelines:
+
+| Category | Description |
+|---|---|
+| **AppServiceHTTPLogs** | HTTP request/response metadata: client IP, method, URI, status codes, bytes sent/received, latency, user agent, X-Forwarded-* and Azure Front Door headers |
+| **AppServiceAuditLogs** | Publishing access events (FTP, WebDeploy, etc.): user, protocol, client IP, success/failure |
+| **AppServiceIPSecAuditLogs** | IPsec and VNet service-endpoint access audit events |
+| **AppServicePlatformLogs** | Platform-level events for the App Service stamp and runtime environment |
+| **AppServiceConsoleLogs** | Application or container stdout/stderr output |
+| **AppServiceAppLogs** | Application-level logging emitted by the hosted app |
+
+Events include `azure.app_service.*` fields (category, level, host, container ID, stamp metadata), `azure.resource.*` identifiers, and optional geo enrichment. Collection requires Azure Event Hub and Storage Account configuration (connection string or Microsoft Entra ID client secret authentication).
+
+## Expected Audit Log Entities
+
+One **`app_service_logs`** data stream ingests six Azure diagnostic log categories via Event Hub. **True audit categories** are **AppServiceAuditLogs** (SCM/publishing authorization — FTP, WebDeploy, AAD) and **AppServiceIPSecAuditLogs** (IPsec and VNet service-endpoint access decisions). **Audit-adjacent** categories are **AppServiceHTTPLogs** (HTTP request telemetry), **AppServicePlatformLogs**, **AppServiceConsoleLogs**, and **AppServiceAppLogs** (platform/runtime/application output without security-principal audit semantics).
+
+The integration has audit logs. Actor and target identity remain almost entirely under `azure.app_service.properties.*` and `azure.resource.*`. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are mapped (`target_fields_audit.csv` — no rows; `target_enhancement_packages.csv` — `actor: none`, all target buckets false). No `destination.user.*` or `destination.host.*` pipeline mappings (`destination_identity_hits.csv` — not listed).
+
+**`event.action` is absent in all fixtures and pipelines.** Vendor `OperationName` is renamed to `azure.app_service.operation_name` on audit, IPSec audit, console, and platform categories; HTTP logs expose `azure.app_service.properties.cs_method` and `cs_uri_stem` instead. `azure-shared-pipeline.yml` lowercases `event.outcome` if present but no inner pipeline sets it. Evidence: `packages/azure_app_service/data_stream/app_service_logs/sample_event.json`, `_dev/test/pipeline/test-appservice*-raw.log-expected.json`, `elasticsearch/ingest_pipeline/appservice-*-inner-pipeline.yml`, `azure-shared-pipeline.yml`, `fields/fields.yml`.
+
+### Event action (semantic)
+
+Azure App Service diagnostic logs name operations via Azure `OperationName` (audit/IPSec/platform/console) or IIS-style HTTP fields (method + URI stem). Audit categories share the coarse label `Authorization`; HTTP logs express per-request verbs as HTTP methods.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `Authorization` | authentication | high | Audit fixture: `operation_name: Authorization`, `protocol: AAD`; IPSec fixture: same `operation_name` with `result: Denied` | **AppServiceAuditLogs**, **AppServiceIPSecAuditLogs** — publishing or network-perimeter authorization decision; protocol (`AAD`, `FTP`) and `result` (`Denied`/`Allowed`) refine semantics but are separate fields |
+| `POST` (HTTP request) | api_call | high | HTTP fixture: `cs_method: POST`, `cs_uri_stem: /api/command`, `sc_status: 200` | **AppServiceHTTPLogs** — IIS access log verb; no `operation_name` on this category |
+| `ContainerLogs` | administration | medium | Platform fixture: `operation_name: ContainerLogs` | **AppServicePlatformLogs** — container lifecycle wrapper; inner `EventName` in `azure.app_service.log` is more specific |
+| `SiteStopRequested` | administration | high | Platform fixture message: `EventName:SiteStopRequested - Reason:SiteNotStartableDuringChangeNotification` | **AppServicePlatformLogs** — parsed from `properties.message` / `azure.app_service.log`; vendor-only |
+| `ContainerStopped` | administration | high | Platform fixture message: `EventName:ContainerStopped` | **AppServicePlatformLogs** — container stop event embedded in platform log text |
+| `Microsoft.Web/sites/log` | data_access | medium | Console fixture + `sample_event.json`: `operation_name: Microsoft.Web/sites/log` | **AppServiceConsoleLogs** — generic console/stdout log operation; `result_description` may embed HTTP access lines |
+| Application log message | general | low | AppLogs fixture: `result_description: Exception on /favicon.ico [GET]`, `hi there` | **AppServiceAppLogs** — freeform application output; no structured operation field |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `azure.app_service.operation_name` | no | n/a | `Authorization` | **yes** | ← `OperationName` (`appservice-auditlogs-inner-pipeline.yml` L12–13, `appservice-ipsecauditlogs-inner-pipeline.yml` L12–13); audit + IPSec fixtures |
+| `azure.app_service.properties.protocol` (composite) | no | n/a | `Authorization-AAD` | partial | Audit fixture `protocol: AAD`; qualifies `Authorization` when publishing auth method matters |
+| `azure.app_service.properties.result` (composite) | no | n/a | `Authorization-Denied` | partial | IPSec fixture `result: Denied`; outcome qualifier, not standalone action — pair with `operation_name` or map to `event.outcome` |
+| `azure.app_service.properties.cs_method` | no | n/a | `POST` | **yes** | ← `CsMethod` (`appservice-httplogs-inner-pipeline.yml` L32–33); HTTP fixture |
+| `azure.app_service.properties.cs_method` + `.cs_uri_stem` (composite) | no | n/a | `POST /api/command` | **yes** | HTTP fixture; richer HTTP surface when method alone is ambiguous |
+| `azure.app_service.operation_name` (platform/console) | no | n/a | `ContainerLogs`, `Microsoft.Web/sites/log` | **yes** | ← `operationName` (`appservice-platformlogs-inner-pipeline.yml` L8–10, `appservice-consolelogs-inner-pipeline.yml` L12–13); platform/console fixtures |
+| `azure.app_service.log` (`EventName:` grok) | no | n/a | `SiteStopRequested`, `ContainerStopped` | **yes** | Platform fixtures: message JSON in `properties.message` → `azure.app_service.log`; finer than `ContainerLogs` |
+| `azure.app_service.result_description` | no | n/a | `Exception on /favicon.ico [GET]` | partial | AppLogs fixture; unstructured; grok `[METHOD]` optional |
+| `event.outcome` ← `properties.result` | no | n/a | `success` / `failure` | **yes** | HTTP `result: Success`; IPSec `result: Denied` — natural `event.outcome`, not `event.action`; `azure-shared-pipeline.yml` L78–80 lowercases only |
+
+**Step 2b — per-category check (`app_service_logs` data stream):**
+
+| Category | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| AppServiceAuditLogs | no | no | `azure.app_service.operation_name` | high | `test-appserviceauditlogs-raw.log-expected.json`: `Authorization` |
+| AppServiceIPSecAuditLogs | no | no | `azure.app_service.operation_name` | high | `test-appserviceipsecauditlogs-raw.log-expected.json`: `Authorization` |
+| AppServiceHTTPLogs | no | no | `azure.app_service.properties.cs_method` (+ optional `cs_uri_stem`) | high | `test-appservicehttplogs-raw.log-expected.json`: `POST`, `/api/command` |
+| AppServicePlatformLogs | no | no | `EventName` in `azure.app_service.log`; fallback `azure.app_service.operation_name` | high | `test-appservicesplatformlogs-raw.log-expected.json`: `ContainerLogs`, `SiteStopRequested`, `ContainerStopped` |
+| AppServiceConsoleLogs | no | no | `azure.app_service.operation_name` | medium | `test-appserviceconsolelogs-raw.log-expected.json`, `sample_event.json`: `Microsoft.Web/sites/log` |
+| AppServiceAppLogs | no | no | `azure.app_service.result_description` (unstructured) | low | `test-appserviceapplogs-raw.log-expected.json`; no operation field |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Publishing user (Entra ID) | user | — | high | `azure.app_service.properties.user`, `user_display_name`, `protocol` (`appservice-auditlogs-inner-pipeline.yml`, `fields.yml`); fixture: object ID `100320021ACECD34`, email `user@elastic.co`, protocol `AAD` | **AppServiceAuditLogs** — identity that authenticated for SCM/publishing access; `user_display_name` populated for AAD-backed auth |
+| Publishing client endpoint | host | — | high | `azure.app_service.properties.client_ip`, `client_port` (grok split from `UserAddress`); fixture: `0.0.0.0:5432` | **AppServiceAuditLogs** — source IP and port of the publishing session |
+| Remote HTTP client (network) | host | — | high | `azure.app_service.properties.client_ip`, `client_port` (grok split from `CIp`); fixture: `0.0.0.0:52580` | **AppServiceIPSecAuditLogs** — caller attempting site access; no user identity in category |
+| Azure Front Door / proxy chain | general | cdn-proxy | low | `azure.app_service.properties.xforwarded_for`, `xforwarded_host`, `xazurefdid`, `xfdhealth_probe` (`appservice-ipsecauditlogs-inner-pipeline.yml`, `fields.yml`); fixture: all empty strings | **AppServiceIPSecAuditLogs** — upstream proxy or Front Door context when headers are present; sparse in package fixtures |
+| HTTP request client | host | — | high | `azure.app_service.properties.client_ip` ← `CIp` (`appservice-httplogs-inner-pipeline.yml`); fixture: `81.2.69.142` | **AppServiceHTTPLogs** — request telemetry actor; not an audit category |
+| HTTP authenticated user | user | — | moderate | `azure.app_service.properties.cs_username` (`fields.yml`: "authenticated user on HTTP request"); fixture: `-` (unauthenticated) | **AppServiceHTTPLogs** — populated when Windows/IIS auth succeeds; absent in package fixtures |
+
+**AppServicePlatformLogs**, **AppServiceConsoleLogs**, and **AppServiceAppLogs** carry no security-principal actor — only stamp/container/host metadata (`azure.app_service.host`, `container_id`, `event_stamp_name`).
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `azure.app_service.properties.user` | Entra object ID of publishing principal | no | n/a | high | ← `Properties.User` (`appservice-auditlogs-inner-pipeline.yml`); fixture `100320021ACECD34`; vendor-only |
+| `azure.app_service.properties.user_display_name` | Entra UPN/email of publishing principal | no | n/a | high | ← `Properties.UserDisplayName`; fixture `user@elastic.co`; vendor-only |
+| `azure.app_service.properties.protocol` | Publishing auth protocol (AAD, FTP, etc.) | no | n/a | high | ← `Properties.Protocol`; fixture `AAD`; vendor-only |
+| `azure.app_service.properties.client_ip` | Publishing or HTTP client IP | no | n/a | high | ← `UserAddress`/`CIp` with grok port split; audit fixture `0.0.0.0`, HTTP fixture `81.2.69.142`; vendor-only |
+| `azure.app_service.properties.client_port` | Client source port | no | n/a | high | Grok from `UserAddress`/`CIp`; audit fixtures `5432`, `52580`; vendor-only |
+| `azure.app_service.properties.cs_username` | HTTP authenticated user | no | n/a | moderate | ← `CsUsername` (`appservice-httplogs-inner-pipeline.yml`); HTTP fixture `-`; vendor-only |
+| `azure.app_service.properties.xforwarded_for` / `.xforwarded_host` / `.xazurefdid` / `.xfdhealth_probe` | Upstream proxy / Front Door context | no | n/a | low | IPSec audit pipeline; empty in fixtures |
+| `cloud.provider` | Cloud scope (Azure) | yes | yes | high | Static `azure` (`azure-shared-pipeline.yml`); all fixtures — scope context, not actor |
+| `cloud.account.id` | Subscription tenancy scope | yes | yes | high | ← `azure.subscription_id` grok from `ResourceId` (`azure-shared-pipeline.yml`); scope context, not actor |
+| `user.*`, `source.ip`, `client.user.*` | — | no | n/a | — | Not mapped despite semantically equivalent vendor fields |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Azure App Service PaaS | Azure App Service | service | — | high | `azure.resource.provider` → `MICROSOFT.WEB/SITES` (`azure-shared-pipeline.yml`); `cloud.provider: azure` | **AppServiceAuditLogs**, **AppServiceIPSecAuditLogs** — invoked platform; `cloud.service.name` not set |
+| 2 — Resource / object | App Service web app (Azure resource) | Web app / function app | host | — | high | `azure.resource.id`, `azure.resource.name`, `azure.resource.group`, `azure.resource.provider`; fixtures: `USER-TEST-APP`, `MANGO-TREE-3004D00656084194B08980B8DB637B86` | **AppServiceAuditLogs**, **AppServiceIPSecAuditLogs** — site whose publishing surface or network perimeter was accessed |
+| 2 — Resource / object | Site hostname / HTTP endpoint | Site FQDN | general | dns-host | high | `azure.app_service.properties.cs_host`; fixture: `mango-tree-3004d00656084194b08980b8db637b86.azurewebsites.net` | **AppServiceIPSecAuditLogs** — host header evaluated against IPsec/VNet rules; also on **AppServiceHTTPLogs** (`user-test.scm.azurewebsites.net`) |
+| 2 — Resource / object | IPsec / access-control decision | Network policy outcome | general | network-policy | high | `azure.app_service.properties.result`, `details`, `service_endpoint`; fixture: `Denied`, `Denied by 0.0.0.0/0 rule.`, `service_endpoint: False` | **AppServiceIPSecAuditLogs** — allow/deny outcome and rule text |
+| 2 — Resource / object | Publishing authorization surface | SCM/publishing endpoint | general | scm-endpoint | moderate | `azure.app_service.operation_name` (`Authorization`); `azure.app_service.properties.protocol`; category `AppServiceAuditLogs` | **AppServiceAuditLogs** — auth event against site publishing surface; no URI or deployment slot in fixtures |
+| 3 — Content / artifact | HTTP request path | URI stem | general | url_path | moderate | `azure.app_service.properties.cs_uri_stem`, `cs_uri_query`, `cs_method`; HTTP fixture: `POST /api/command` | **AppServiceHTTPLogs** — request target path; audit-adjacent telemetry |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `azure.resource.id` | 2 | host | no | n/a | `entity.target.id` | **yes** | Grok from `ResourceId` (`azure-shared-pipeline.yml`); full ARM path in audit fixtures |
+| `azure.resource.name` | 2 | host | no | n/a | `host.target.name` | **yes** | ← grok `NAME` from resource ID; fixtures `USER-TEST-APP`, `MANGO-TREE-...` |
+| `azure.resource.group` | 2 | general | no | n/a | context-only | no | Resource group scope; tenancy context |
+| `azure.resource.provider` | 1 | service | no | n/a | `service.target.name` | **yes** | `MICROSOFT.WEB/SITES` in fixtures — platform service type |
+| `azure.app_service.properties.cs_host` | 2 | host | no | n/a | `host.target.name` | **yes** | ← `CsHost` (IPSec + HTTP pipelines); site FQDN — de-facto host target, not mapped to `destination.domain` |
+| `azure.app_service.properties.result` | 2 | general | no | n/a | context-only | no | Authorization outcome (`Denied`/`Allowed`); policy decision metadata |
+| `azure.app_service.properties.details` | 2/3 | general | no | n/a | context-only | no | Rule text / additional decision context; fixture `Denied by 0.0.0.0/0 rule.` |
+| `azure.app_service.properties.service_endpoint` | 2 | general | no | n/a | context-only | no | VNet service-endpoint path indicator; fixture `False` |
+| `azure.app_service.properties.cs_uri_stem` | 3 | general | no | n/a | context-only | no | HTTP request path (`/api/command`); fields.yml describes as "target of the request" |
+| `azure.app_service.operation_name` | 2 | general | no | n/a | context-only | **yes** (→ `event.action`) | `Authorization` on audit categories — operation label; natural `event.action` source, not ECS-mapped |
+| `cloud.provider`, `cloud.account.id` | — | general | yes | yes | context-only | no | Tenancy scope (`azure-shared-pipeline.yml`); not acted-upon targets |
+| `destination.*`, `url.*`, `host.target.*`, `user.target.*`, `service.target.*` | — | — | no | n/a | — | — | Not populated by any pipeline |
+
+### Gaps and mapping notes
+
+- **No `event.action` mapping** — `azure.app_service.operation_name` (`Authorization`, `ContainerLogs`, `Microsoft.Web/sites/log`) and HTTP `cs_method` (`POST`) name the operation but remain vendor-only. Primary enhancement: copy `operation_name` → `event.action` on audit/IPSec/platform/console categories; `cs_method` (optionally with `cs_uri_stem`) on **AppServiceHTTPLogs**.
+- **No ECS actor normalization** — publishing Entra object ID (`azure.app_service.properties.user`), UPN (`user_display_name`), and client IP (`client_ip`) remain vendor-only despite clear mappings to `user.id`, `user.email`, and `source.ip`.
+- **No ECS target normalization** — App Service resource identity (`azure.resource.*`) and site hostname (`cs_host`) are the canonical Layer 1/2 targets but are not promoted to `host.target.*`, `entity.target.id`, or `destination.domain`.
+- **No `destination.user.*` or `destination.host.*`** — package absent from `destination_identity_hits.csv`; no de-facto target pattern in use today.
+- **No official ECS `*.target.*` fields** — `target_enhancement_packages.csv` confirms `actor: none` and all target buckets false; enhancement priority for audit categories is **`strong_candidate`** for `user.id`/`user.email` (actor) and `host.target.name`/`entity.target.id` (Layer 2 resource).
+- **`cloud.service.name` not set** — Layer 1 platform service is inferable from `azure.resource.provider` (`MICROSOFT.WEB/SITES`) only; static `cloud.service.name: app_service` would improve cross-Azure integration correlation.
+- **`properties.result` conflates action and outcome** — on **AppServiceIPSecAuditLogs** `result: Denied` is an authorization outcome; on **AppServiceHTTPLogs** `result: Success` is HTTP success. Map to `event.outcome`, not `event.action`; keep `operation_name` / `cs_method` as action sources.
+- **`user_display_name` vs `user`** — for AAD publishing, `user` holds Entra object ID (→ `user.id`) and `user_display_name` holds email/UPN (→ `user.email`); do not conflate.
+- **AppServiceIPSecAuditLogs has no user actor** — only client IP; user attribution requires pairing with Entra sign-in or HTTP access logs.
+- **AppServiceHTTPLogs** — request telemetry with actor (`client_ip`, optional `cs_username`) and content target (`cs_uri_stem`, `cs_host`); useful for access investigation but not categorized as platform audit logs.
+- For cross-integration user attribution on **AppServiceAuditLogs**, pair Entra object IDs with Microsoft Entra ID / Azure Activity Log data.
+
+### Per-stream notes
+
+#### `app_service_logs` — AppServiceAuditLogs
+
+SCM/publishing authorization audit. **Action:** `Authorization` (`azure.app_service.operation_name`); protocol `AAD` refines auth method. **Actor:** Entra **user** (`user`, `user_display_name`) plus **host** client endpoint (`client_ip`, `client_port`). **Target:** Layer 1 App Service platform, Layer 2 **web app resource** (`azure.resource.*`), Layer 2 publishing surface (`protocol`). No ECS user, source, or `event.action` mapping.
+
+#### `app_service_logs` — AppServiceIPSecAuditLogs
+
+Network perimeter audit. **Action:** `Authorization` with outcome `Denied` in fixture (`result`, `details`). **Actor:** remote **host** client (`client_ip`, `client_port`); optional Front Door/proxy context (`xforwarded_*`, `xazurefdid`). **Target:** Layer 2 **web app resource**, Layer 2 **site hostname** (`cs_host`), Layer 2 **policy decision** (`result`, `details`, `service_endpoint`). No user identity in category.
+
+#### `app_service_logs` — AppServiceHTTPLogs (audit-adjacent)
+
+HTTP access telemetry, not platform audit. **Action:** HTTP method `POST` on `/api/command` (`cs_method`, `cs_uri_stem`); `result: Success` is outcome, not action. **Actor:** **host** (`client_ip`); optional **user** (`cs_username` when authenticated). **Target:** Layer 2 site (`cs_host`), Layer 3 request path (`cs_uri_stem`). Same vendor-only identity pattern — no ECS `source.*`/`url.*`/`user.*`/`event.action` promotion.
+
+#### `app_service_logs` — AppServicePlatformLogs / AppServiceConsoleLogs / AppServiceAppLogs
+
+Runtime/platform/application output. **Action:** platform `ContainerLogs` with embedded `EventName:SiteStopRequested` / `ContainerStopped`; console `Microsoft.Web/sites/log`; app logs freeform `result_description`. No security-principal actor or audit target semantics; stamp/container metadata only (`azure.app_service.host`, `container_id`, `event_stamp_name`).
+
+## Example Event Graph
+
+Examples below come from the single **`app_service_logs`** data stream. **AppServiceAuditLogs** and **AppServiceIPSecAuditLogs** are true platform audit categories; **AppServiceHTTPLogs** is audit-adjacent HTTP request telemetry. `event.action` is not populated in any fixture — actions are derived from `azure.app_service.operation_name` or `azure.app_service.properties.cs_method`.
+
+### Example 1: Entra ID publishing authorization
+
+**Stream:** `azure.app_service.app_service_logs` · **Fixture:** `packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceauditlogs-raw.log-expected.json`
+
+```
+Entra user (user@elastic.co) → Authorization → App Service web app (USER-TEST-APP)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 100320021ACECD34 |
+| name | user@elastic.co |
+| type | user |
+| ip | 0.0.0.0 |
+
+**Field sources:**
+- `id` ← `azure.app_service.properties.user`
+- `name` ← `azure.app_service.properties.user_display_name`
+- `ip` ← `azure.app_service.properties.client_ip`
+- Auth method: `azure.app_service.properties.protocol` = `AAD` (Entra ID-backed publishing)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Authorization |
+| source_field | `azure.app_service.operation_name` |
+| source_value | Authorization |
+
+Not mapped to `event.action` in ECS today.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | /SUBSCRIPTIONS/12CABCB5-36E8-104F-A3D2-1DC9982F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/USER-TEST-APP |
+| name | USER-TEST-APP |
+| type | host |
+| sub_type | web_app |
+
+**Field sources:**
+- `id` ← `azure.resource.id`
+- `name` ← `azure.resource.name`
+- `sub_type` ← `azure.resource.provider` (`MICROSOFT.WEB/SITES`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: user@elastic.co"] --> E["Authorization"]
+  E --> T["Target: USER-TEST-APP"]
+```
+
+### Example 2: IPsec access denied
+
+**Stream:** `azure.app_service.app_service_logs` · **Fixture:** `packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appserviceipsecauditlogs-raw.log-expected.json`
+
+```
+Remote client (0.0.0.0) → Authorization → Site hostname (mango-tree-…azurewebsites.net)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | host |
+| ip | 0.0.0.0 |
+
+**Field sources:**
+- `ip` ← `azure.app_service.properties.client_ip` (port `52580` in `azure.app_service.properties.client_port`)
+
+No user identity in this category — client IP only.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Authorization |
+| source_field | `azure.app_service.operation_name` |
+| source_value | Authorization |
+
+Outcome `Denied` is in `azure.app_service.properties.result` — not mapped to `event.action` or `event.outcome` today.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | /SUBSCRIPTIONS/0E073EC1-C22F-4488-ADDE-DA35ED609CCD/RESOURCEGROUPS/LUCIAN.DEACONESCU_RG_6914/PROVIDERS/MICROSOFT.WEB/SITES/MANGO-TREE-3004D00656084194B08980B8DB637B86 |
+| name | mango-tree-3004d00656084194b08980b8db637b86.azurewebsites.net |
+| type | host |
+| sub_type | web_app |
+
+**Field sources:**
+- `id` ← `azure.resource.id`
+- `name` ← `azure.app_service.properties.cs_host` (site FQDN evaluated against IPsec rules; `azure.resource.name` is `MANGO-TREE-3004D00656084194B08980B8DB637B86`)
+- `sub_type` ← `azure.resource.provider` (`MICROSOFT.WEB/SITES`)
+
+Policy context: `azure.app_service.properties.result` = `Denied`, `details` = `Denied by 0.0.0.0/0 rule.`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 0.0.0.0"] --> E["Authorization"]
+  E --> T["Target: mango-tree-…azurewebsites.net"]
+```
+
+### Example 3: HTTP POST to SCM endpoint (audit-adjacent)
+
+**Stream:** `azure.app_service.app_service_logs` · **Fixture:** `packages/azure_app_service/data_stream/app_service_logs/_dev/test/pipeline/test-appservicehttplogs-raw.log-expected.json`
+
+```
+HTTP client (81.2.69.142) → POST → Request path (/api/command on user-test.scm.azurewebsites.net)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | host |
+| ip | 81.2.69.142 |
+
+**Field sources:**
+- `ip` ← `azure.app_service.properties.client_ip`
+
+`azure.app_service.properties.cs_username` is `-` (unauthenticated) in this fixture.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | POST |
+| source_field | `azure.app_service.properties.cs_method` |
+| source_value | POST |
+
+Not mapped to `event.action` in ECS today. HTTP outcome `Success` is in `azure.app_service.properties.result`, not the action.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | /SUBSCRIPTIONS/12CA3CB4-86E8-404F-A352-1DC1000F45CA/RESOURCEGROUPS/USER-TEST/PROVIDERS/MICROSOFT.WEB/SITES/APP-TEST |
+| name | user-test.scm.azurewebsites.net/api/command |
+| type | general |
+| sub_type | url_path |
+
+**Field sources:**
+- `id` ← `azure.resource.id` (Layer 2 web app resource)
+- `name` ← `azure.app_service.properties.cs_host` + `azure.app_service.properties.cs_uri_stem` (site FQDN + request path)
+- `sub_type` ← HTTP request path target (`cs_uri_stem`: `/api/command`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 81.2.69.142"] --> E["POST"]
+  E --> T["Target: /api/command"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (Elastic Agent `azure-eventhub` input). Query-time extraction applies to the single logs data stream, routed by **`data_stream.dataset == "azure_app_service.app_service_logs"`** (`sample_event.json`, dashboard filter) with **`azure.app_service.category`** as the secondary discriminator (six diagnostic categories share one dataset). Pass 4 is **fill-gaps-only**: column-level `IS NOT NULL` preserve on each mapped output before vendor fallbacks so a populated `user.email` does not block `user.id` ← `azure.app_service.properties.user`, and a populated `host.target.id` does not block category-specific `host.target.name` fallbacks. True audit categories (**AppServiceAuditLogs**, **AppServiceIPSecAuditLogs**) and audit-adjacent **AppServiceHTTPLogs** receive actor, action, and target enrichment; platform/console/app log categories are excluded. **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` identity fallbacks; mapped columns use column-level preserve (not blind `CASE(actor_exists, user.name, …)` when `user.email` can set `actor_exists` while `user.name` stays empty). **Pass 4 CASE syntax:** combined actor/action/target blocks use odd-arity `CASE` (condition/value pairs + trailing `null`); the audit pipeline fragment uses **3-arg** `CASE(col IS NOT NULL, col, fallback)` — not **4-arg** `CASE(col IS NOT NULL, col, bare_field, null)` where the bare field parses as a boolean condition.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `azure_app_service.app_service_logs` — AppServiceAuditLogs | publishing audit | user, host | host, service | full |
+| `azure_app_service.app_service_logs` — AppServiceIPSecAuditLogs | network audit | host | host | full |
+| `azure_app_service.app_service_logs` — AppServiceHTTPLogs | HTTP telemetry | host, user | host, general | partial |
+| `azure_app_service.app_service_logs` — Platform/Console/AppLogs | runtime output | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `azure.app_service.properties.user` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs"` | high | **preserve existing** — `user.id IS NOT NULL`; vendor fallback — Entra object ID |
+| `user.email` | `azure.app_service.properties.user_display_name` | same | high | **preserve existing** — `user.email IS NOT NULL`; vendor fallback — UPN/email |
+| `user.name` | `azure.app_service.properties.user_display_name` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs"` | high | **preserve existing** — `user.name IS NOT NULL` (not `actor_exists`); vendor fallback — display name |
+| `user.name` | `azure.app_service.properties.cs_username` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs" AND azure.app_service.properties.cs_username != "-"` | medium | **preserve existing** — `user.name IS NOT NULL`; vendor fallback — IIS auth user when present |
+| `host.ip` | `azure.app_service.properties.client_ip` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs")` | high | **preserve existing** — `host.ip IS NOT NULL`; vendor fallback — not promoted to `source.ip` at ingest |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.id` | `azure.resource.id` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs")` | high | **preserve existing** — `host.target.id IS NOT NULL`; vendor fallback — web app ARM resource (Pass 3 Examples 1–3) |
+| `host.target.name` | `azure.resource.name` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs"` | high | **preserve existing** — `host.target.name IS NOT NULL` (not `target_exists`); vendor fallback — app resource name (`USER-TEST-APP`) |
+| `host.target.name` | `azure.app_service.properties.cs_host` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceIPSecAuditLogs", "AppServiceHTTPLogs")` | high | **preserve existing** — `host.target.name IS NOT NULL`; vendor fallback — site FQDN (Pass 3 Examples 2–3) |
+| `service.target.name` | `azure.resource.provider` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs")` | high | **preserve existing** — `service.target.name IS NOT NULL`; vendor fallback — Layer 1 platform type (`MICROSOFT.WEB/SITES`) |
+| `entity.target.name` | `azure.app_service.properties.cs_uri_stem` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs"` | high | **preserve existing** — `entity.target.name IS NOT NULL`; vendor fallback — HTTP request path (`/api/command`) |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `azure.app_service.operation_name` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs")` | high | preserve existing; vendor fallback — `Authorization` in audit fixtures |
+| `event.action` | `azure.app_service.properties.cs_method` | `data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs"` | high | preserve existing; vendor fallback — HTTP verb (`POST`); do not use `properties.result` (outcome) |
+
+### Detection flags (mandatory — run first)
+
+Predicate tuned for this integration: no indexed `user.*` / `host.*` / `*.target.*` / `event.action` at ingest today. **`actor_exists` / `target_exists` are query-time helpers only** — mapped columns use **column-level** `IS NOT NULL` preserve so one populated actor/target field does not block fallbacks on sibling columns (e.g. `user.email` without `user.id`, or `host.target.id` without `host.target.name`).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.email IS NOT NULL OR user.name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** Do not use `CASE(actor_exists, user.name, …)` or `CASE(target_exists, host.target.name, …)` on mapped outputs — use `user.name IS NOT NULL` / `host.target.name IS NOT NULL` (and the same pattern per column), including `event.action IS NOT NULL` for `event.action`.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Use **3-arg** `CASE(user.name IS NOT NULL, user.name, azure.app_service.properties.user_display_name)` or **5-arg** / **7-arg** with dataset guards — not **4-arg** `CASE(user.name IS NOT NULL, user.name, azure.app_service.properties.user_display_name, null)` (the 3rd arg is a **condition**, not a fallback).
+
+### Optional classification helpers (when needed)
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"), "host",
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"), "web_app",
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", "url_path",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user_display_name,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user_display_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs" AND azure.app_service.properties.cs_username != "-", azure.app_service.properties.cs_username,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.app_service.properties.client_ip,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"), azure.app_service.operation_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_method,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.resource.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.resource.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceIPSecAuditLogs", azure.app_service.properties.cs_host,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_host,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.resource.provider,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_uri_stem,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.email IS NOT NULL OR user.name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user_display_name,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.app_service.properties.user_display_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs" AND azure.app_service.properties.cs_username != "-", azure.app_service.properties.cs_username,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.app_service.properties.client_ip,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs"), azure.app_service.operation_name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_method,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.resource.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceAuditLogs", azure.resource.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceIPSecAuditLogs", azure.app_service.properties.cs_host,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_host,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category IN ("AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServiceHTTPLogs"), azure.resource.provider,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "azure_app_service.app_service_logs" AND azure.app_service.category == "AppServiceHTTPLogs", azure.app_service.properties.cs_uri_stem,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, azure.app_service.category, event.action, user.id, user.email, user.name, host.ip, host.target.id, host.target.name, service.target.name
+```
+
+### Streams excluded
+
+- **AppServicePlatformLogs** — container/stamp lifecycle (`ContainerLogs`, `EventName` in `azure.app_service.log`); no security-principal actor or durable audit target.
+- **AppServiceConsoleLogs** — stdout/stderr wrapper (`Microsoft.Web/sites/log`); no principal actor.
+- **AppServiceAppLogs** — unstructured application output (`result_description`); no structured actor/target identity.
+
+### Gaps and limitations
+
+- **Vendor fields not promoted at ingest** — all fallbacks use `azure.app_service.properties.*` and `azure.resource.*`; Pass 4 does not modify pipelines.
+- **`user.domain`** — not indexed; not extractable from fixtures without email parse.
+- **`host.id` / `host.name` (actor)** — client endpoint is `host.ip` only; `client_port` is vendor-only context.
+- **IPSec category has no user actor** — client IP only; user attribution requires Entra or HTTP correlation.
+- **`properties.result` is outcome** — `Denied` / `Success` should map to `event.outcome` at ingest, not `event.action` or target identity.
+- **HTTP composite target name** — Pass 3 combines `cs_host` + `cs_uri_stem`; ES|QL maps them to separate `host.target.name` and `entity.target.name` columns (no `CONCAT` in mandatory set).
+- **Front Door / proxy actor context** — `xforwarded_*`, `xazurefdid` empty in IPSec fixture; omitted to avoid false positives.
+- **Platform/console action candidates** — `operation_name` / `azure.app_service.log` `EventName` exist but streams are excluded from entity EVAL.
+- **Alignment with Pass 2** — `event.action`, `user.id`, `user.email`, and `host.target.*` are ingest enhancement candidates; this section supplies query-time fallback only when those columns are empty.
+- **Pass 4 tautology cleanup** — no `CASE(col, col, …)` identity fallbacks; actor/target columns use column-level `IS NOT NULL` preserve (not `CASE(actor_exists, user.name, …)` / `CASE(target_exists, host.target.name, …)`) so partial ingest or prior EVAL steps do not block vendor fallbacks; `entity.target.type` / `entity.target.sub_type` use the same column-level pattern.
+- **Pass 4 CASE syntax** — combined actor/action/target blocks use odd-arity `CASE` (condition/value pairs + trailing `null`); full pipeline fragment aligns with combined blocks (dataset guards on every fallback branch).
+- **Unscoped `FROM logs-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset == "azure_app_service.app_service_logs"` + category), not a top-level `WHERE`.
diff --git a/dev/domain/p1/azure_openai.md b/dev/domain/p1/azure_openai.md
new file mode 100644
index 00000000000..d2003b89f1d
--- /dev/null
+++ b/dev/domain/p1/azure_openai.md
@@ -0,0 +1,489 @@
+# azure_openai
+
+## Product Domain (Azure OpenAI Service)
+
+Microsoft Azure OpenAI Service is a managed Azure offering for deploying and consuming OpenAI foundation models (chat, completions, embeddings, and related APIs) within an organization's Azure tenancy. Resources are provisioned as Cognitive Services accounts with model deployments, quota management, and Azure-native content filtering (hate, violence, sexual, self-harm, profanity, jailbreak, protected material, and custom blocklists). Organizations use Azure OpenAI to build copilots and AI applications while retaining Azure identity, networking, and compliance controls.
+
+The platform emits operational telemetry at two levels. Native diagnostic logging covers audit activity (administrative and key-management operations) and request/response metadata for model API calls—operation name, duration, model deployment, caller IP, and HTTP outcome—without full prompt and completion bodies by default. When Azure API Management (APIM) fronts OpenAI deployments, gateway logs add richer HTTP-level detail, including backend request and response payloads, token usage, cache behavior, TLS metadata, and content-filter results across safety categories.
+
+From a security and observability perspective, Azure OpenAI is a critical control point for AI workload governance. Security and platform teams monitor who invokes models, which deployments are used, whether requests succeed or fail, how content filters act on prompts and completions, and how provisioned throughput (PTU) capacity is consumed. The Elastic integration ingests OpenAI logs via Azure Event Hub and cognitive-service metrics via Azure Monitor, normalizing events into ECS-aligned fields for SIEM correlation, AI usage analytics, latency and availability alerting, quota monitoring, and audit review.
+
+## Data Collected (brief)
+
+- **Logs** (`azure.open_ai`): Streamed from Azure Event Hub via the `azure-eventhub` input; agent-based deployment only.
+- **Audit** (`category: Audit`): Administrative and resource operations (e.g., key listing), including asset identity, object ID, operation name, tenant/region, and Azure resource ID.
+- **RequestResponse** (`category: RequestResponse`): Native model API call telemetry—operation (e.g., chat completions, thread creation), duration, caller IP, correlation ID, model name/version/deployment, stream type, request/response sizes, and HTTP result signature.
+- **ApiManagementGatewayLogs** (`category: GatewayLogs`): APIM gateway events with full HTTP context—client and backend URLs/methods, request/response bodies (prompts and completions), token counts, latency, cache status, TLS details, and content-filter outcomes (severity, filtered/detected flags, custom blocklists, jailbreak, profanity, protected material).
+- **Metrics** (`azure.open_ai`): Collected from Azure Monitor (`Microsoft.CognitiveServices/accounts`) on a 5-minute period; supports agent-based and agentless deployment.
+- **Usage and performance**: API request counts; input, output, active, and total token totals; time to response (streaming latency); fine-tuned training hours; PTU utilization percentage and context-token cache match rate (provisioned deployments).
+- **Dimensions and resource context**: Model name, version, deployment name, API name, operation name, region, status code, stream type; Azure subscription, resource group, resource ID, and namespace.
+
+## Expected Audit Log Entities
+
+OpenAI telemetry spans one **logs** data stream (`azure.open_ai`, three Azure diagnostic categories) and one **metrics** data stream (`azure.open_ai`, Azure Monitor aggregates). **`Audit`** is true administrative audit (key management, resource operations). **`RequestResponse`** and **`GatewayLogs`** are audit-adjacent API telemetry — native OpenAI call metadata and APIM gateway HTTP logs with full request/response bodies. **`Metrics`** are time-bucketed usage and performance gauges with no per-request principal. The logs pipeline maps GatewayLogs `caller_ip_address` → `source.ip` (with geo/ASN) and subscription → `cloud.account.id`, but does not populate ECS `user.*`, `*.target.*`, `related.*`, `destination.*`, or `gen_ai.*`. No ECS `*.target.*` fields are mapped today (`target_fields_audit.csv` has no `azure_openai` row; `target_enhancement_packages.csv` classifies actor/target enhancement as **`none`**). No `destination.user.*` / `destination.host.*` usage (`destination_identity_hits.csv` has no `azure_openai` row). **`event.action` is absent** in all log and metrics fixtures and no ingest pipeline maps to it (grep across `packages/azure_openai` returns no `event.action` references). Vendor operation fields (`azure.open_ai.operation_name`, `properties.operation_id`) hold the action verb but remain vendor-only. Evidence is from `packages/azure_openai/data_stream/logs/_dev/test/pipeline/test-open-ai-*-expected.json`, `data_stream/logs/sample_event.json`, `data_stream/logs/fields/fields.yml`, `data_stream/logs/elasticsearch/ingest_pipeline/default.yml`, `data_stream/logs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml`, `data_stream/metrics/_dev/test/pipeline/test-openai-request.json-expected.json`, `data_stream/metrics/sample_event.json`, and `data_stream/metrics/fields/fields.yml`.
+
+### Event action (semantic)
+
+Each log category records a distinct operation or activity. **`Audit`** and **`RequestResponse`** expose the action at top-level `azure.open_ai.operation_name`. **`GatewayLogs`** use `properties.operation_id` for the OpenAI/APIM API method (e.g. `ChatCompletions_Create`); the top-level `operation_name` (`Microsoft.ApiManagement/GatewayLogs`) is the Azure diagnostic envelope, not the API verb. **`Metrics`** are pre-aggregated Azure Monitor gauges with **no meaningful per-event action** (classification rule 10).
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `ListKey` | administration | high | `test-open-ai-audit.log-expected.json`: `operation_name: ListKey` | **`Audit`** — key-management admin operation against the cognitive account |
+| `Create_Thread` | api_call | high | `test-open-ai-request-response.log-expected.json`: `operation_name: Create_Thread` | **`RequestResponse`** — Assistants thread creation |
+| `ChatCompletions_Create` | api_call | high | RequestResponse fixture (`operation_name: ChatCompletions_Create`); GatewayLogs fixture (`properties.operation_id: ChatCompletions_Create`) | **`RequestResponse`**, **`GatewayLogs`** — chat completion API invocation |
+| `Microsoft.ApiManagement/GatewayLogs` | api_call | partial | GatewayLogs top-level `operation_name` in all gateway fixtures and `sample_event.json` | **`GatewayLogs`** — Azure diagnostic category name, not the invoked OpenAI API method; use `properties.operation_id` instead for `event.action` |
+| `ShoeboxCallResult` | api_call | partial | RequestResponse: `azure.open_ai.event: ShoeboxCallResult` in fixtures | **`RequestResponse`** — Azure internal event type for native call telemetry; less specific than `operation_name` |
+| (none — metric aggregates) | — | high | `metrics/sample_event.json`, `test-openai-request.json-expected.json` — token/latency counters only | **`Metrics`** — no per-request verb; dimensions describe aggregation slice |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `azure.open_ai.operation_name` | no | n/a | `ListKey`, `Create_Thread`, `ChatCompletions_Create` | yes | Audit and RequestResponse fixtures; `fields.yml` L13–15 ("The log action performed"); pipeline retains vendor-only after snake_case script — no rename to `event.action` |
+| `azure.open_ai.properties.operation_id` | no | n/a | `ChatCompletions_Create` | yes | GatewayLogs fixtures (`test-open-ai-gateway.log-expected.json`); primary API action on APIM-fronted calls |
+| `http.request.method` + `url.path` | no | partial | `POST` + `/deployments/gpt-chat-pilot/chat/completions` | partial | GatewayLogs: `properties.method` → `http.request.method` (`default.yml` L265–268); `uri_parts` on `properties.url` (`default.yml` L273–286); alternate when `operation_id` absent |
+| `azure.open_ai.event` | no | n/a | `ShoeboxCallResult` | partial | RequestResponse fixtures only; Azure envelope type, not the API method |
+| `event.action` | no | n/a | — | yes | Not set in any pipeline or fixture |
+| `event.outcome` | yes | yes | `success`, `failure` | no | `result_type` → `event.outcome` on GatewayLogs (`default.yml` L162–169); records outcome, not action |
+| `event.type` / `event.category` | no | n/a | — | no | Not set; would not substitute for `event.action` without a vendor action source |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| Logs — Audit | no | no | `azure.open_ai.operation_name` → `ListKey` | high | `test-open-ai-audit.log-expected.json`; no `event.action` in `event` block |
+| Logs — RequestResponse | no | no | `azure.open_ai.operation_name` → `Create_Thread`, `ChatCompletions_Create` | high | `test-open-ai-request-response.log-expected.json`; alternate `azure.open_ai.event: ShoeboxCallResult` |
+| Logs — GatewayLogs | no | no | `azure.open_ai.properties.operation_id` → `ChatCompletions_Create` | high | `test-open-ai-gateway.log-expected.json`, `sample_event.json`; do **not** use top-level `operation_name: Microsoft.ApiManagement/GatewayLogs` |
+| Metrics | no | no | — (no per-event action) | high | `test-openai-request.json-expected.json`; `event` block has `dataset`/`module` only; 5-minute Azure Monitor aggregates |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Entra ID principal (object ID) | user | — | high | `azure.open_ai.properties.object_id` on Audit `ListKey` (`test-open-ai-audit.log-expected.json`: `b610ab05-ce06-4cc1-a6dd-174b9f80468a`); defined in `fields.yml` | **`Audit`** — administrative actor for key-management and resource operations; not mapped to ECS `user.id` |
+| Asset identity | general | identity | moderate | `azure.open_ai.asset_identity` on Audit sample (`07628fea-67bb-424d-b160-fdc46c82d0b4`); `fields.yml` | **`Audit`** — Azure asset identity key; supplementary to object ID |
+| API client (IP address) | host | — | high | GatewayLogs: `caller_ip_address` → `source.ip` with `source.geo.*` / `source.as.*` (`default.yml` L117–161; `test-open-ai-gateway.log-expected.json`: `89.160.20.156`) | **`GatewayLogs`** — full client IP; best actor signal for model API calls |
+| API client (masked IP) | host | — | moderate | RequestResponse: `azure.open_ai.caller_ip_address` (last octet masked, e.g. `81.2.69.***`); pipeline intentionally does **not** copy to `source.ip` (`default.yml` L117 comment) | **`RequestResponse`** — caller network context only; no geo enrichment |
+| Client TLS context | general | tls_client | moderate | `azure.open_ai.properties.client_tls_version`, `client_tls_cipher_suite`, `client_protocol` (`fields.yml`; gateway fixtures) | **`GatewayLogs`** — transport fingerprint for the calling client; not a distinct ECS entity |
+| Integration collector | service | — | low | Elastic Agent Event Hub consumer / Metricbeat Azure Monitor poller; credentials in stream config, not indexed | Implicit; not represented on events |
+
+**No actor identity in samples:** **`RequestResponse`** — `properties.object_id` is empty in fixtures; no user name, API key ID, or Entra UPN. **`Metrics`** — time-bucketed resource metrics only; no caller or user dimensions. **`GatewayLogs`** `backend_request_body.messages[].role: user` is chat turn role, not a security principal.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `azure.open_ai.properties.object_id` | Entra ID administrative principal | no | n/a | high | Audit `ListKey` fixture (`b610ab05-ce06-4cc1-a6dd-174b9f80468a`); `fields.yml`; pipeline retains vendor-only — no rename to `user.id` |
+| `azure.open_ai.asset_identity` | Azure asset identity key | no | n/a | moderate | Audit fixture; supplementary actor context alongside object ID |
+| `source.ip` | API client IP (GatewayLogs) | yes | yes | high | `caller_ip_address` → `source.ip` when `category == 'GatewayLogs'` (`default.yml` L117–124); geo/ASN enrichment L141–161; fixture `89.160.20.156` |
+| `source.geo.*` / `source.as.*` | Client network enrichment | yes | yes | high | GeoIP/ASN processors on `source.ip` (`default.yml` L141–161); populated in gateway fixtures |
+| `azure.open_ai.caller_ip_address` | Masked client IP (RequestResponse) | no | n/a | moderate | RequestResponse fixtures (`81.2.69.***`); intentionally not promoted to `source.ip` per pipeline comment |
+| `azure.open_ai.properties.client_tls_version` / `.client_tls_cipher_suite` / `.client_protocol` | Client transport fingerprint | no | n/a | moderate | GatewayLogs `fields.yml` and fixtures; vendor-only |
+| `user.id` / `user.*` | Actor identity | no | n/a | — | Not set in any pipeline or fixture despite Audit `object_id` availability |
+| `client.user.*` | Caller principal | no | n/a | — | Not used |
+| `related.user` | Actor cross-reference | no | n/a | — | Not used |
+| `destination.user.*` / `destination.host.*` | De-facto target identity | no | n/a | — | Not used (`destination_identity_hits.csv` has no `azure_openai` row) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Invoked Azure AI platform | Azure OpenAI / Cognitive Services | service | — | high | `azure.resource.provider: microsoft.cognitiveservices/accounts`; `azure.namespace: Microsoft.CognitiveServices/accounts` on metrics | **`Audit`**, **`RequestResponse`**, **`Metrics`** — managed OpenAI platform; no ECS `cloud.service.name` set |
+| 1 — Platform / cloud service | APIM gateway fronting OpenAI | Azure API Management | service | — | high | GatewayLogs `azure.resource.provider: microsoft.apimanagement/service` (`test-open-ai-gateway.log-expected.json`) | **`GatewayLogs`** — distinct Layer 1 from cognitive account |
+| 2 — Resource / object | Cognitive Services (OpenAI) account | OpenAI account resource | service | — | high | `azure.resource.id/name/group` on Audit and RequestResponse fixtures; grok from `resourceId` in `azure-shared-pipeline.yml` | **`Audit`**, **`RequestResponse`** — Azure resource acted upon or emitting the call |
+| 2 — Resource / object | Model deployment | Deployed foundation model endpoint | service | — | high | `properties.model_deployment_name`, `model_name`, `model_version`; gateway `backend_url` path `/deployments/{name}/...`; `backend_request_body.model` | **`RequestResponse`**, **`GatewayLogs`** — e.g. `gpt-chat-pilot`, `gpt-35-turbo` |
+| 2 — Resource / object | APIM API definition | Gateway-routed API surface | general | api | high | `properties.api_id`, `api_revision`; client `url.*` from gateway request URL (`default.yml` uri_parts L273–286) | **`GatewayLogs`** — e.g. `azure-openai-service-api` |
+| 2 — Resource / object | OpenAI / admin API operation | API method or admin action | general | api_method | high | `azure.open_ai.operation_name` / `properties.operation_id` (e.g. `ChatCompletions_Create`, `Create_Thread`, `ListKey`) | All log categories — names the operation, not a host |
+| 2 — Resource / object | Model deployment (metric dimension) | Aggregated deployment slice | service | — | high | `azure.dimensions.model_deployment_name`, `feature_name`, `model_version`, `api_name`, `region` (`metrics/sample_event.json`, `metrics/fields/fields.yml`) | **`Metrics`** — aggregation dimension for token/latency counters; not per-request target |
+| 3 — Content / artifact | Chat completion / thread instance | Per-request AI artifact | general | ai_completion | moderate | `properties.backend_response_body.id` (e.g. `chatcmpl-9gRL14hGa8nQstOJKvLjh7EyulsnT`); `operation_name: Create_Thread` on RequestResponse | **`GatewayLogs`**, **`RequestResponse`** — correlatable invocation ID; not mapped to ECS |
+| 3 — Content / artifact | Prompt and completion content | Prompt / model output text | general | ai_content | high | `properties.backend_request_body.messages[].content`, `backend_response_body.choices[].message.content`; token usage under `backend_response_body.usage` | **`GatewayLogs`** — full bodies retained vendor-only |
+| 3 — Content / artifact | Content-filter / blocklist outcome | Safety policy evaluation | general | policy | moderate | `properties.backend_response_body.choices.content_filter_results.*`, `prompt_filter_results.*`, `error.innererror.content_filter_result.*` (`fields.yml`; gateway fixtures) | **`GatewayLogs`** — policy targets on prompt/response content |
+| 3 — Content / artifact | Time-bucket metric aggregate | Azure Monitor usage slice | general | usage_bucket | high | `@timestamp`, `azure.timegrain`, `azure.open_ai.*.total` / `*.avg`; dimensions `azure.dimensions.*` | **`Metrics`** — pre-aggregated counters; not per-request audit targets |
+
+**No meaningful audit target in metrics:** Individual prompts, completions, users, or API keys — metrics expose counts and latency percentiles keyed by model-deployment dimensions only, not content or principal IDs. Per classification rule 10, metric dimensions are **aggregation targets**, not per-request audit targets.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `azure.resource.id` / `.name` / `.group` / `.provider` | 2 | service | yes | yes | `cloud.resource.id` / context-only | partial | `resourceId` rename (`default.yml` L18–20); grok in `azure-shared-pipeline.yml` L10–19; cognitive account or APIM service depending on category |
+| `cloud.account.id` | — | — | yes | yes | context-only | no | `azure.subscription_id` → `cloud.account.id` (`azure-shared-pipeline.yml` L21–23); Audit and RequestResponse fixtures |
+| `cloud.provider` | — | — | yes | yes | context-only | no | Static `azure` (`azure-shared-pipeline.yml` L4–6) |
+| `cloud.service.name` | 1 | service | no | n/a | `service.target.name` | yes | Not set; static `azure_openai` or `Microsoft.CognitiveServices` would identify invoked platform |
+| `azure.open_ai.properties.model_deployment_name` | 2 | service | no | n/a | `gen_ai.request.model.name` / `service.target.entity.id` | yes | RequestResponse and GatewayLogs fixtures (`gpt-chat-pilot`); `fields.yml`; canonical deployment target |
+| `azure.open_ai.properties.model_name` / `.model_version` | 2 | service | no | n/a | `gen_ai.request.model.id` / `.version` | yes | RequestResponse fixture (`gpt-35-turbo`, `0301`); gateway `backend_response_body.model` |
+| `azure.open_ai.properties.backend_url` | 2 | service | no | n/a | `url.full` / context-only | partial | GatewayLogs fixture — backend OpenAI deployment URL; identifies target endpoint, not mapped to ECS |
+| `azure.open_ai.properties.api_id` / `.api_revision` | 2 | general (api) | no | n/a | `service.target.entity.id` | yes | GatewayLogs fixtures (`azure-openai-service-api`, revision `1`) |
+| `azure.open_ai.operation_name` / `.properties.operation_id` | 2 | general (api_method) | no | n/a | `event.action` | yes | All categories (e.g. `ChatCompletions_Create`, `ListKey`); not promoted to `event.action` |
+| `url.domain` / `url.path` / `url.original` | 2 | general (api) | yes | yes | context-only | no | `uri_parts` on gateway client URL (`default.yml` L273–286); APIM client-facing endpoint |
+| `azure.open_ai.properties.backend_response_body.id` | 3 | general (ai_completion) | no | n/a | `gen_ai.response.id` | yes | Gateway fixture `chatcmpl-9gRL14hGa8nQstOJKvLjh7EyulsnT` |
+| `azure.open_ai.properties.backend_request_body.messages[].content` | 3 | general (ai_content) | no | n/a | `gen_ai.prompt` | yes | Gateway fixtures; prompt text retained vendor-side |
+| `azure.open_ai.properties.backend_response_body.choices[].message.content` | 3 | general (ai_content) | no | n/a | `gen_ai.completion` | yes | Gateway fixtures; completion text retained vendor-side |
+| `azure.open_ai.properties.backend_response_body.usage.*` | 3 | general (usage_bucket) | no | n/a | `gen_ai.usage.*` | yes | Token counters in gateway fixtures; pipeline renames `prompt_tokens`/`completion_tokens` → `input_tokens`/`output_tokens` (`default.yml` L184–191) but stays vendor-namespaced |
+| `azure.dimensions.model_deployment_name` / `.feature_name` / `.model_version` | 2 | service | no | n/a | context-only | no | Metrics sample; aggregation dimension, not per-request entity |
+| `azure.open_ai.*.total` / `*.avg` (metrics) | 3 | general (usage_bucket) | no | n/a | context-only | no | Token, latency, availability, utilization counters in `metrics/sample_event.json` |
+| `user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` | — | — | no | n/a | — | no | Not populated (`target_enhancement_packages.csv`: all `has_*_target` false) |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+| `gen_ai.*` | 2–3 | service / general | no | n/a | `gen_ai.*` | yes | No Gen AI ECS fields set despite rich model, prompt, completion, and token data in GatewayLogs |
+
+### Gaps and mapping notes
+
+- **`event.action` not mapped:** `azure.open_ai.operation_name` (`ListKey`, `Create_Thread`, `ChatCompletions_Create`) and GatewayLogs `properties.operation_id` (`ChatCompletions_Create`) are the strongest action candidates but remain vendor-only. Recommended: copy category-appropriate field to `event.action` per stream (Audit/RequestResponse → `operation_name`; GatewayLogs → `properties.operation_id`).
+- **GatewayLogs envelope vs API verb:** Top-level `operation_name: Microsoft.ApiManagement/GatewayLogs` is the Azure diagnostic category, not the OpenAI API method — do not use it as `event.action`.
+- **Audit actor not promoted:** `azure.open_ai.properties.object_id` holds the Entra principal on **`Audit`** events (e.g. `ListKey`) but is never copied to `user.id` or `related.user`. Best vendor source of truth for administrative actor identity.
+- **RequestResponse actor gap:** `properties.object_id` is empty in fixtures; only masked `caller_ip_address` remains (vendor-only, not `source.ip`). No API key ID, UPN, or service principal in schema or samples.
+- **GatewayLogs actor is network-only:** `source.ip` mapping is correct for client IP (`default.yml` L117–124) but there is no Entra or API-key caller identity even when APIM may have it upstream.
+- **Zero Gen AI ECS promotion:** GatewayLogs retain full prompts, completions, model IDs, token usage, and completion IDs under `azure.open_ai.properties.backend_*_body.*` but nothing maps to `gen_ai.prompt`, `gen_ai.completion`, `gen_ai.request.model.id`, or `gen_ai.usage.*`.
+- **Layer 1 platform gap:** `cloud.provider: azure` is set but `cloud.service.name` is absent. A static set (e.g. `azure_openai`) would identify the invoked SaaS platform per cloud/SaaS addendum.
+- **Asymmetric caller IP handling:** GatewayLogs promote full `caller_ip_address` → `source.ip` with geo/ASN; RequestResponse keeps masked IP vendor-only by design (`default.yml` L117). Do not treat RequestResponse `caller_ip_address` as equivalent to `source.ip`.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, no pipeline maps acted-upon entities to `destination.user.*` or `destination.host.*`.
+- **No official ECS target fields:** Aligns with target-fields audit classification **`none`** — no `user.target.*`, `host.target.*`, or `service.target.*` today. Model deployment name, APIM API ID, and completion ID are the strongest enhancement candidates for `service.target.entity.id` / `gen_ai.*`.
+- **Chat role homonym:** `backend_request_body.messages[].role: user` is LLM message turn role, not the security principal who invoked the API.
+- **Metrics are aggregation-only:** Model deployment dimensions on metrics describe time-bucket slices, not individual API invocations or content artifacts; no per-event action applies.
+
+### Per-stream notes
+
+#### Logs — Audit (`category: Audit`)
+
+True administrative audit. **Action:** `ListKey` at `azure.open_ai.operation_name` — not mapped to `event.action`. Actor is the Entra **object ID** performing operations against the **Cognitive Services account** resource. `asset_identity` and `tenant`/`location` provide supplementary Azure context. No ECS user promotion.
+
+#### Logs — RequestResponse (`category: RequestResponse`)
+
+Native OpenAI API telemetry without full bodies. **Action:** `Create_Thread`, `ChatCompletions_Create` at `azure.open_ai.operation_name` — not mapped to `event.action`. Actor is best interpreted as **host** (masked `caller_ip_address`, vendor-only). Target is the **model deployment** and **API operation** on the cognitive account. `correlation_id`, `duration_ms`, and `result_signature` support session correlation, not entity identity.
+
+#### Logs — GatewayLogs (`category: GatewayLogs`)
+
+APIM-fronted calls with full HTTP context. **Action:** `ChatCompletions_Create` at `properties.operation_id` — not mapped to `event.action`; top-level `operation_name: Microsoft.ApiManagement/GatewayLogs` is the diagnostic envelope only. Actor is **host** at `source.ip` (geo/ASN enriched). Targets span Layer 1 **APIM gateway**, Layer 2 **APIM API** and **backend OpenAI deployment** (`backend_url`), and Layer 3 **AI completion** IDs plus prompt/completion content. Request/response bodies and content-filter results remain under `azure.open_ai.properties.*` — not ECS-mapped.
+
+#### Metrics (`azure.open_ai`)
+
+Azure Monitor gauges for model requests, tokens, latency, availability, fine-tuned training hours, and provisioned utilization. **No per-event action** — time-bucket aggregates only. Target is the **model deployment** dimension set on a **Cognitive Services account** within a time grain. No actor fields; aggregation dimensions only.
+
+## Example Event Graph
+
+The examples below come from the **logs** data stream (`azure.open_ai`) pipeline fixtures — one per diagnostic category. **Audit** is true administrative audit; **RequestResponse** and **GatewayLogs** are audit-adjacent API telemetry. **`event.action` is not populated** in any fixture; actions are derived from vendor operation fields. Metrics are omitted — they are time-bucketed aggregates with no per-request actor or action.
+
+### Example 1: Administrative key listing
+
+**Stream:** `azure.open_ai` · **Fixture:** `packages/azure_openai/data_stream/logs/_dev/test/pipeline/test-open-ai-audit.log-expected.json`
+
+```
+Entra ID principal → ListKey → Azure OpenAI cognitive account obs-openai-test-01
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | b610ab05-ce06-4cc1-a6dd-174b9f80468a |
+| type | user |
+
+**Field sources:**
+- `id` ← `azure.open_ai.properties.object_id` (Entra ID object ID; not mapped to ECS `user.id` today)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ListKey |
+| source_field | `azure.open_ai.operation_name` |
+| source_value | ListKey |
+
+Not mapped to ECS `event.action` today.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | /subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/obs-openai-service-rs/providers/microsoft.cognitiveservices/accounts/obs-openai-test-01 |
+| name | obs-openai-test-01 |
+| type | service |
+| sub_type | cognitive_account |
+
+**Field sources:**
+- `id` ← `azure.resource.id`
+- `name` ← `azure.resource.name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Entra ID principal"] --> E["ListKey"]
+  E --> T["Target: obs-openai-test-01"]
+```
+
+### Example 2: Native chat completion call
+
+**Stream:** `azure.open_ai` · **Fixture:** `packages/azure_openai/data_stream/logs/_dev/test/pipeline/test-open-ai-request-response.log-expected.json` (second event)
+
+```
+API client (masked IP) → ChatCompletions_Create → Azure OpenAI model deployment gpt-chat-pilot
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| ip | 81.2.69.*** |
+| type | host |
+
+**Field sources:**
+- `ip` ← `azure.open_ai.caller_ip_address` (masked; intentionally not promoted to `source.ip`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ChatCompletions_Create |
+| source_field | `azure.open_ai.operation_name` |
+| source_value | ChatCompletions_Create |
+
+Not mapped to ECS `event.action` today.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | gpt-chat-pilot |
+| name | gpt-35-turbo |
+| type | service |
+| sub_type | model_deployment |
+
+**Field sources:**
+- `id` ← `azure.open_ai.properties.model_deployment_name`
+- `name` ← `azure.open_ai.properties.model_name` (version `0301` at `azure.open_ai.properties.model_version`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 81.2.69.***"] --> E["ChatCompletions_Create"]
+  E --> T["Target: gpt-chat-pilot"]
+```
+
+### Example 3: APIM gateway chat completion
+
+**Stream:** `azure.open_ai` · **Fixture:** `packages/azure_openai/data_stream/logs/_dev/test/pipeline/test-open-ai-gateway.log-expected.json` (first event)
+
+```
+API client (IP) → ChatCompletions_Create → Azure OpenAI model deployment gpt-chat-pilot
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| ip | 89.160.20.156 |
+| type | host |
+| geo | Linköping, Sweden |
+
+**Field sources:**
+- `ip` ← `source.ip` (from `caller_ip_address` on GatewayLogs)
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ChatCompletions_Create |
+| source_field | `azure.open_ai.properties.operation_id` |
+| source_value | ChatCompletions_Create |
+
+Not mapped to ECS `event.action` today. Do not use top-level `azure.open_ai.operation_name` (`Microsoft.ApiManagement/GatewayLogs`) — that is the Azure diagnostic envelope, not the API verb.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | gpt-chat-pilot |
+| name | gpt-35-turbo |
+| type | service |
+| sub_type | model_deployment |
+
+**Field sources:**
+- `id` ← `azure.open_ai.properties.backend_request_body.model` / `url.path` deployment segment
+- `name` ← `azure.open_ai.properties.backend_response_body.model`
+
+```mermaid
+flowchart LR
+  A["Actor: 89.160.20.156"] --> E["ChatCompletions_Create"]
+  E --> T["Target: gpt-chat-pilot"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (Elastic Agent Event Hub + Azure Monitor). Query-time extraction applies to the **logs** data stream only, routed by `data_stream.dataset == "azure.open_ai"` with **`azure.open_ai.category`** as the secondary discriminator (Audit, RequestResponse, GatewayLogs share one dataset). The **metrics** stream uses the same dataset value but is excluded — time-bucketed Azure Monitor aggregates with no per-request principal, action, or target. Pass 4 is fill-gaps-only: existing `user.*`, `host.*`, `service.target.*`, and `event.action` values are never overwritten. **Pass 4 (tautology cleanup):** column-level `IS NOT NULL` preserve on mapped outputs; **`source.ip` excluded from `actor_exists`** so GatewayLogs client IP can promote to `host.ip`; no `CASE(col, col, …)` fallback branches — ingest-populated values are preserved via detection flags or column guards only.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `azure.open_ai` | logs — Audit | user | service | partial |
+| `azure.open_ai` | logs — RequestResponse | host | service | partial |
+| `azure.open_ai` | logs — GatewayLogs | host | service | partial |
+| `azure.open_ai` | metrics | — | — | none |
+
+### Field mapping plan
+
+**Detection predicate (tuned):** `actor_exists` checks official actor ECS columns only — **`source.ip` is excluded** because GatewayLogs maps the API client to `source.ip`, not `host.ip` (`default.yml` L117–124). `target_exists` checks official `*.target.*` columns only (not populated at ingest today).
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` | `data_stream.dataset == "azure.open_ai"` | high | **preserve existing** — column-level `user.id IS NOT NULL` |
+| `user.id` | `azure.open_ai.properties.object_id` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit"` | high | **vendor fallback** — Entra admin principal (`ListKey` fixture) |
+| `host.ip` | `host.ip` | `data_stream.dataset == "azure.open_ai"` | high | **preserve existing** — column-level `host.ip IS NOT NULL` |
+| `host.ip` | `source.ip` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs"` | high | **vendor fallback** — `caller_ip_address` → `source.ip` at ingest; promotes to `host.ip` |
+| `host.ip` | `azure.open_ai.caller_ip_address` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse"` | medium | **vendor fallback** — masked IP; not promoted to `source.ip` at ingest |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.id` | `service.target.id` | `data_stream.dataset == "azure.open_ai"` | high | **preserve existing** — column-level `service.target.id IS NOT NULL` |
+| `service.target.id` | `azure.resource.id` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit"` | high | **vendor fallback** — cognitive account ARM id (Pass 3 Example 1) |
+| `service.target.name` | `service.target.name` | `data_stream.dataset == "azure.open_ai"` | high | **preserve existing** — column-level `service.target.name IS NOT NULL` |
+| `service.target.name` | `azure.resource.name` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit"` | high | **vendor fallback** — account name (Pass 3 Example 1) |
+| `service.target.id` | `azure.open_ai.properties.model_deployment_name` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse"` | high | **vendor fallback** — model deployment endpoint |
+| `service.target.name` | `azure.open_ai.properties.model_name` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse"` | high | **vendor fallback** — e.g. `gpt-35-turbo` (Pass 3 Example 2) |
+| `service.target.id` | `azure.open_ai.properties.backend_request_body.model` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs"` | high | **vendor fallback** — fixture has `model`, not `model_deployment_name` |
+| `service.target.name` | `azure.open_ai.properties.backend_response_body.model` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs"` | high | **vendor fallback** — e.g. `gpt-35-turbo` (Pass 3 Example 3) |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "azure.open_ai"` | high | **preserve existing** — not set in fixtures today |
+| `event.action` | `azure.open_ai.operation_name` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category IN ("Audit", "RequestResponse")` | high | **vendor fallback** — e.g. `ListKey`, `ChatCompletions_Create` |
+| `event.action` | `azure.open_ai.properties.operation_id` | `data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs"` | high | **vendor fallback** — do **not** use top-level `azure.open_ai.operation_name` (`Microsoft.ApiManagement/GatewayLogs`) |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `source.ip` is intentionally **not** in `actor_exists` so GatewayLogs documents with only `source.ip` still receive `host.ip` ← `source.ip`. Mapped columns use column-level `IS NOT NULL` preserve (not blind `CASE(actor_exists, col, …)` when another actor column can be set).
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.open_ai.properties.object_id,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", source.ip,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.caller_ip_address,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category IN ("Audit", "RequestResponse"), azure.open_ai.operation_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.operation_id,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.resource.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.properties.model_deployment_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.backend_request_body.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.resource.name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.properties.model_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.backend_response_body.model,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.open_ai.properties.object_id,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", source.ip,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.caller_ip_address,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category IN ("Audit", "RequestResponse"), azure.open_ai.operation_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.operation_id,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.resource.id,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.properties.model_deployment_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.backend_request_body.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "Audit", azure.resource.name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "RequestResponse", azure.open_ai.properties.model_name,
+    data_stream.dataset == "azure.open_ai" AND azure.open_ai.category == "GatewayLogs", azure.open_ai.properties.backend_response_body.model,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, azure.open_ai.category, event.action, user.id, host.ip, service.target.id, service.target.name
+```
+
+### Streams excluded
+
+- **`azure.open_ai` (metrics)** — Azure Monitor time-bucketed gauges (tokens, latency, utilization); no per-request actor, action, or target entity.
+
+### Gaps and limitations
+
+- **`user.email` / `user.name` / `user.domain`** — not indexed on any log category; Audit exposes only Entra `object_id`.
+- **`service.target.name` Layer 1 platform** — `cloud.service.name` is absent; static literal `"azure_openai"` would require ingest enrichment, not fixture-grounded ES|QL.
+- **RequestResponse masked IP** — `81.2.69.***` is not a routable address; use for display only.
+- **GatewayLogs APIM vs cognitive account** — `azure.resource` on GatewayLogs fixtures is APIM (`microsoft.apimanagement/service`); model deployment target uses `backend_*_body.model`, not account resource ID.
+- **`gen_ai.*`** — rich prompt/completion/model usage in GatewayLogs remains vendor-only; outside mandatory actor/target column set.
+- **Alignment with Pass 2** — `event.action` and `user.id` are enhancement candidates at ingest; Pass 4 supplies query-time fallback only when those columns are empty.
+- **Pass 4 tautology cleanup** — no `CASE(col, col, …)` identity fallbacks; `source.ip` excluded from `actor_exists`; `user.id` / `host.ip` / `service.target.*` use column-level `IS NOT NULL` preserve so a populated `host.ip` does not block Audit `user.id` ← `object_id` or GatewayLogs `host.ip` ← `source.ip`.
+- **Pass 4 CASE syntax** — combined actor/action/target blocks use odd-arity `CASE` (condition/value pairs + trailing `null`); full pipeline fragment aligns with combined blocks (dataset guards on every fallback branch).
+- **Unscoped `FROM logs-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset == "azure.open_ai"` + category), not a top-level `WHERE`.
+- **`entity.target.type` / `entity.target.sub_type` omitted** — stream/category routing is sufficient; Pass 3 sub_types (`cognitive_account`, `model_deployment`) are illustrative only.
diff --git a/dev/domain/p1/checkpoint_email.md b/dev/domain/p1/checkpoint_email.md
new file mode 100644
index 00000000000..adebd020ca2
--- /dev/null
+++ b/dev/domain/p1/checkpoint_email.md
@@ -0,0 +1,495 @@
+# checkpoint_email
+
+## Product Domain
+
+Check Point Harmony Email & Collaboration (formerly Avanan) is a cloud-native email and collaboration security platform that protects SaaS workloads rather than sitting inline in the SMTP path. It monitors email, file sharing, and messaging across Microsoft 365 (Exchange, OneDrive, SharePoint, Teams), Google Workspace (Gmail, Drive), Dropbox, Box, Citrix ShareFile, and Slack. The service scans messages, attachments, links, and shared files for malware, phishing, spam, data loss, account anomalies, and shadow IT usage, then applies remediation such as quarantine, blocking, or alerting before threats reach users.
+
+The platform is part of Check Point's Harmony suite and is managed through the Infinity Portal, with regional Cloudinfra API gateways for programmatic access. Security events are generated when detections fire across connected SaaS tenants—covering threat types such as malware, phishing, spam, DLP violations, malicious URLs, login anomalies, and unauthorized application use. Analysts triage events in the Harmony portal, where each alert includes severity, confidence, workflow state, and links back to the affected SaaS entity.
+
+From a security operations perspective, Harmony Email & Collaboration provides a centralized view of email-borne and collaboration-app threats across cloud mailboxes and adjacent productivity tools. Because many organizations have moved off traditional on-premises gateways, this API-driven telemetry complements gateway logs by capturing post-delivery inspection, SaaS-native DLP, and cross-application abuse that only a cloud CASB/SASE-style email security layer can observe.
+
+## Data Collected (brief)
+
+This integration collects **event** logs (`checkpoint_email.event`) from the Harmony Email & Collaboration Smart API via Elastic Agent CEL input with OAuth (Client ID/Secret from the Infinity Portal). A single data stream polls the `query_event` endpoint on a configurable interval and maps JSON security alerts into ECS.
+
+Events include threat and policy metadata: event type (e.g., malware, phishing, spam, DLP, anomaly, shadow IT, malicious URL), severity and confidence indicator, workflow state, SaaS source (`google_mail`, `office365_emails`, etc.), sender/recipient addresses, email subject, scan type, entity IDs and portal links, customer/organization ID, description and raw entity data, performed actions, and available analyst actions (dismiss, severity change). Fields are normalized to ECS categories (`email`, `threat`, `malware` where applicable) with `event.kind: alert`, plus `observer.vendor`/`observer.product` for Check Point Harmony Email & Collaboration.
+
+## Expected Audit Log Entities
+
+Harmony Email & Collaboration emits **security detection alerts** across connected SaaS tenants — not traditional admin audit logs (no portal login, config change, or IAM action stream). A single **`event`** data stream (`checkpoint_email.event`) polls the Smart API `query_event` endpoint. Events are audit-adjacent: threat detections (phishing, spam, malware, malicious URL), DLP violations, login/geo anomalies, shadow IT, and user-reported phishing. The pipeline (`packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml`) groks embedded JSON entities from `checkpoint_email.event.data` for email-threat, user-reported, and geo-anomaly patterns; other principals remain in the unresolved `data` string. **No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated** (`dev/target-fields-audit/out/target_fields_audit.csv` — no rows for this package). The target-fields audit classifies this package as **`strong_candidate`** with **`pipeline_dest_identity=true`**, **`pipeline_actor=true`**, and **`fixture_strong=true`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`). **`destination.user.*`** is listed in **`destination_identity_hits.csv`** (lines 261, 267, 269 of `default.yml`). **`event.action` is absent in all fixtures** (`sample_event.json`, `test-event.log-expected.json`); the pipeline never sets it — vendor detection type (`checkpoint_email.event.type`) and remediation actions (`checkpoint_email.event.actions.action_type`) retain the operation semantics in vendor fields only. Evidence: `packages/checkpoint_email/data_stream/event/sample_event.json`, `data_stream/event/_dev/test/pipeline/test-event.log-expected.json`, and `data_stream/event/fields/fields.yml`.
+
+### Event action (semantic)
+
+What operation or activity does the stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `phishing`, `spam`, `malware`, `malicious_url`, `suspicious_phishing` | detection | high | `checkpoint_email.event.type` ← API `json.type` (`default.yml:450–452`); fixtures: `phishing`, `spam`, `malware`, `malicious_url`, `suspicious_phishing` in `test-event.log-expected.json` | Primary **detection category** — what threat class was identified |
+| `dlp` | detection / data_access | high | `checkpoint_email.event.type: dlp`; DLP fixtures (`Resume` subject, PII leak descriptions) | Data-loss policy violation detected |
+| `anomaly` | detection | high | `checkpoint_email.event.type: anomaly`; geo-suspicious login fixtures (Google `sunny@example.io`, O365 `user@example.com`) | Login/geo behavioral anomaly — not an admin operation |
+| `shadow_it` | detection | high | `checkpoint_email.event.type: shadow_it`; `sample_event.json`, shadow IT fixtures (`john@example.com` using `google.com`) | Unauthorized SaaS application usage detected |
+| `alert` | detection | high | `checkpoint_email.event.type: alert`; user-reported phishing fixture (`user@example.com` reported message) | End-user reported phishing — detection trigger |
+| `logged in` | authentication | high | `checkpoint_email.event.user.action` ← grok `_temp.user_action.label` (`default.yml:319–321`); O365 geo fixture `ae5ce6faee2541898877dec2779ebc42` | **`anomaly`** (O365 geo only) — SaaS login verb embedded in `data`, not in `event.action` |
+| `login_success` (embedded) | authentication | medium | Embedded `google_event_login` label `performed activity (login_success)` in `data`; Google geo-suspicious fixtures | **`anomaly`** (Google geo) — login activity in vendor `data` only; no ECS action field |
+| `quarantine_email`, `restore_email`, `move_to_spam`, `google_mail_email_change_subject`, `office365_emails_decline_report_phishing` | remediation | high | `checkpoint_email.event.actions[].action_type` ← API `actions[].actionType` (`default.yml:101–144`); fixtures: quarantined shadow_it, phishing subject change, spam header action, user-reported decline | **Remediation performed** on the SaaS entity — distinct from detection type; multi-valued array |
+| `dismiss`, `severityChange` | administration | medium | `checkpoint_email.event.available_event_actions[].action_name` ← API `availableEventActions[].actionName` (`default.yml:151–172`); DLP fixture with four severity-change options | Analyst workflow actions **available** for the alert — not yet performed |
+| `avanan_ap_scan`, `clicktime_protection_scan`, `ms_defender_scan` | detection | medium | `checkpoint_email.event.scan_type` ← grok `_temp.scan_information.entity_type` (`default.yml:218–220`); phishing/spam/malicious_url/suspicious_phishing fixtures | Which inline scan engine triggered — sub-action detail for email-threat events |
+
+Detection alerts name the **threat category** (`type`) as the primary semantic action. Remediation verbs (`actions.action_type`) and analyst options (`available_event_actions.action_name`) are secondary action layers on the same alert document.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `checkpoint_email.event.type` ← `json.type` | **no** | n/a | `phishing`, `spam`, `malware`, `dlp`, `anomaly`, `shadow_it`, `malicious_url`, `alert`, `suspicious_phishing` | **yes** | `default.yml:450–452` rename only; all fixtures populate vendor `type`; never copied to `event.action` |
+| `checkpoint_email.event.scan_type` | **no** | n/a | `avanan_ap_scan`, `clicktime_protection_scan`, `ms_defender_scan` | partial | `default.yml:218–220`; email-threat sub-detail — use as secondary field or composite with `type` |
+| `checkpoint_email.event.user.action` | **no** | n/a | `logged in` | **yes** | `default.yml:319–321`; O365 geo anomaly fixture only — SaaS login verb |
+| `checkpoint_email.event.actions[].action_type` | **no** | n/a | `quarantine_email`, `restore_email`, `move_to_spam`, `google_mail_email_change_subject`, `office365_emails_decline_report_phishing` | partial | `default.yml:101–144`; remediation array — consider `event.action` for primary detection type and retain these under vendor or `event.action` array for remediation |
+| `checkpoint_email.event.available_event_actions[].action_name` | **no** | n/a | `dismiss`, `severityChange` | no | `default.yml:151–172`; workflow options, not performed action |
+| Embedded `google_event_login` label in `data` | **no** | n/a | `login_success` (normalize from `performed activity (login_success)`) | **yes** | Google geo-suspicious fixtures; vendor-only — grok does not promote to ECS |
+| `event.type` (ECS) | yes (partial substitute) | **no** | `[info]`, `[indicator]` | no | `default.yml:81–92` static append — ECS event **shape**, not security operation; do not substitute for `event.action` |
+| `event.category` | yes (partial substitute) | partial | `email`, `threat`, `malware` | no | Category enrichment from `json.type`; complements but does not replace action verb |
+| `checkpoint_email.event.confidence_indicator` | **no** | n/a | — | no | Detection confidence (`detected`, `malicious`, `alert`) — metadata, not action |
+
+**Per-stream action check (Step 2b):**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event` | **no** | **no** | `checkpoint_email.event.type` | high | `sample_event.json`, all `test-event.log-expected.json` documents; `default.yml` has no `event.action` set/rename |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Email sender | user | — | high | `source.user.email` / `.name` / `.domain` ← API `senderAddress` → `checkpoint_email.event.sender_address` (dissect); mirrored to `email.sender.address` and `related.user`. Fixtures: phishing (`info@example.in`), spam (`support@example.in`), DLP leaker (`alice@example.io`, `sandy@example.io`), malicious_url (`info@example.com`), M365 malware (`external@example.com`) in `test-event.log-expected.json`. | Email-borne threat and DLP events when `senderAddress` is populated |
+| Geo/login anomaly subject | user | — | high | `user.email` / `.name` / `.domain` ← grok `_temp.user_address` on `data` → `checkpoint_email.event.user.address` → `user.email` (dissect). Fixture: `ae5ce6faee2541898877dec2779ebc42` (`user@example.com` logged in from New Zealand, `type=anomaly`). | **`anomaly`** — O365 geo pattern only; Google geo-suspicious login (`sunny@example.io`) stays vendor-only in `data` |
+| User-reported phishing reporter | user | — | high | Reporter identity embedded in `data` as `office365_emails_user` / `google_user` label; grok maps reporter to `_temp.destination_user` → **`destination.user.*`** (see mapping note — semantically actor, not target). Fixture: user-reported alert (`user@example.com`, `type=alert`, `event.id=45abcdef012345678998765432100abd`). | **`alert`** — reporter is the human actor; ECS actor fields not populated |
+| SaaS mailbox user (unparsed) | user | — | medium | Embedded `google_user` / `office365_emails_user` in `checkpoint_email.event.data` for shadow IT, Google geo-suspicious login, and some DLP events — not promoted to ECS `user.*` or `source.user.*`. Fixtures: shadow_it (`john@example.com` in `sample_event.json`), geo-suspicious login (`sunny@example.io`). | **`shadow_it`**, **`anomaly`** (Google), DLP without grok match |
+| System alert sender | service | — | high | `source.user.email` from API `senderAddress` when value is a platform noreply address (e.g. `google-workspace-alerts-noreply@google.com`). Fixtures: shadow_it events in `test-event.log-expected.json` and `sample_event.json`. | Not a human actor — automated SaaS notification envelope |
+| Detection platform | service | — | high | `observer.vendor` / `observer.product` statically set (`Check Point`, `Harmony Email & Collaboration`). All fixtures. | Observer identity — enforcing CASB/email-security service, not the caller |
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.user.email`, `source.user.name`, `source.user.domain` | Email sender / leaker | yes | yes | high | ← `json.senderAddress` rename → dissect (`default.yml:385–400`); phishing/spam/DLP/malicious_url fixtures |
+| `user.email`, `user.name`, `user.domain` | Geo/login anomaly subject | yes | yes | high | ← grok `_temp.user_address` on `data` → `checkpoint_email.event.user.address` → `user.email` (`default.yml:278–303`); O365 geo fixture `ae5ce6faee2541898877dec2779ebc42` |
+| `email.sender.address` | Sender mailbox (email field set) | yes | yes | high | Copy from `checkpoint_email.event.sender_address` (`default.yml:401–405`) |
+| `related.user` | Actor/target cross-reference | yes | partial | high | Appends sender, destination, and geo-anomaly user (`default.yml:272–277`, `304–309`, `406–411`); does not distinguish actor vs target roles |
+| `checkpoint_email.event.sender_address` | Vendor sender copy | yes (vendor) | n/a | high | Retained when `preserve_duplicate_custom_fields` tag set; removed otherwise |
+| `checkpoint_email.event.user.address`, `.action`, `.country` | Geo-anomaly user context | yes (vendor) | n/a | high | From grok on `data` (`default.yml:286–322`); O365 geo fixture |
+| `checkpoint_email.event.data` (embedded `google_user`, `office365_emails_user`) | Unparsed SaaS user identity | yes (vendor) | n/a | medium | Canonical actor for shadow IT and Google geo events; only in unresolved `data` string |
+| `checkpoint_email.event.saas` | Connected SaaS platform name | yes (vendor) | n/a | high | ← `json.saas` (`default.yml:379–383`); `google_mail`, `office365_emails` — scope/platform context, not actor |
+| `organization.name` | Customer tenant scope | yes | n/a | high | ← `json.customerId` (`default.yml:179–188`); tenant context, not actor |
+| `observer.vendor`, `observer.product` | Detection platform | yes | yes | high | Static set (`default.yml:93–100`); observer, not human actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Connected SaaS workload under protection | Google Mail, Microsoft 365 Email, etc. | service | — | high | `checkpoint_email.event.saas` ← API `saas` (`google_mail`, `office365_emails`). All fixtures; `sample_event.json`. | Identifies which protected tenant/workload produced the alert |
+| 2 — Resource / object | Mailbox owner / recipient | SaaS mailbox user | user | — | high | `destination.user.email` / `.name` / `.domain` ← grok `_temp.destination_user` ("X's mailbox") → `checkpoint_email.event.destination_address` (`default.yml:248–271`). Fixtures: phishing (`alex@example.com`), spam, malicious_url (`boss@example.io`), M365 malware, suspicious_phishing. | Primary de-facto user target for email-threat events |
+| 2 — Resource / object | SaaS entity under inspection | Message, login session, scan artifact | general | saas_entity | high | `checkpoint_email.event.entity_id`, `event.id` ← API `entityId` / `eventId`. All fixtures. | Primary correlation ID for portal link (`event.url` ← `entity_link`) |
+| 2 — Resource / object | Login / management event (anomaly) | SaaS login session | general | login_session | medium | Embedded `google_event_login`, `office365_mgmnt_event` in `data`; referenced by `entity_id` but not ECS-mapped. Fixtures: Google geo-suspicious login, O365 geo anomaly. | Layer 2 target for **`anomaly`** events |
+| 2 — Resource / object | Shadow IT application / domain | External app or DNS target | general | saas_application | medium | Embedded `av_dns_info` in `data` (e.g. `google.com (Search Engine)`). Fixture: shadow_it in `sample_event.json`. | Layer 2 target for **`shadow_it`**; SaaS user is actor, external app is acted-upon resource |
+| 2 — Resource / object | Customer organization | Harmony customer tenant | general | organization | high | `organization.name` ← `customerId`. All fixtures. | Tenant scope — context, not granular target |
+| 3 — Content / artifact | Email message subject | Email message | general | email_message | high | `email.subject`, `checkpoint_email.event.email_subject` ← grok `_temp.email_subject.label` on `data`. Fixtures: phishing (`Support: Link`), spam, DLP (`Resume`), M365 malware (`Cogito, ergo sum`). | Message content identity; supplements Layer 2 entity |
+| 3 — Content / artifact | Detection scan engine | Inline scan module | general | scan_engine | medium | `checkpoint_email.event.scan_type` ← embedded scan entity `entity_type` (`avanan_ap_scan`, `clicktime_protection_scan`, `ms_defender_scan`). Fixtures: phishing, spam, malicious_url, suspicious_phishing. | Which Harmony/Avanan engine triggered |
+| 3 — Content / artifact | Remediation / analyst actions | Quarantine, dismiss, severity change | general | remediation_action | medium | `checkpoint_email.event.actions`, `.available_event_actions` with `action_type`, `related_entity_id`. Fixtures: quarantined shadow_it, phishing with subject change, spam with header action. | Actions performed on or available for the Layer 2 entity |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `destination.user.email`, `.name`, `.domain` | 2 | user | yes | partial | `user.target.email` / `.name` | **yes** | ← grok `_temp.destination_user.label` on `data` ("X's mailbox") → `checkpoint_email.event.destination_address` → `destination.user.email` + dissect (`default.yml:241–271`); also `email.to.address`, `related.user`. **De-facto target** for email-threat events. **Listed in `destination_identity_hits.csv`**. Fixtures: phishing, spam, malicious_url, M365 malware |
+| `destination.user.*` (user-reported phishing) | 2 | user | yes | **no** | `user.email` (actor) | yes | Grok pattern `^User #... reported a phishing email` maps **reporter** to `_temp.destination_user` → `destination.user.*` (`default.yml:202`, `248–271`). Fixture: `type=alert`, reporter `user@example.com` — semantically **actor**, not mailbox target; actor/target conflation |
+| `email.to.address` | 2 | user | yes | yes | `user.target.email` | yes | Append from `checkpoint_email.event.destination_address` (`default.yml:254–259`); parallel recipient identity to `destination.user.email` |
+| `email.subject`, `checkpoint_email.event.email_subject` | 3 | general (email_message) | yes | yes | context | no | ← grok `_temp.email_subject.label` (`default.yml:222–239`); message artifact |
+| `checkpoint_email.event.entity_id`, `event.id` | 2 | general (saas_entity) | yes | yes | `entity.target.id` | yes | ← API `entityId` / `eventId` (`default.yml:333–378`); primary SaaS object ID |
+| `checkpoint_email.event.saas` | 1 | service | yes (vendor) | n/a | `cloud.service.name` / `service.target.name` | yes | ← API `saas` (`default.yml:379–383`); protected SaaS platform — no `cloud.service.name` mapping today |
+| `checkpoint_email.event.scan_type` | 3 | general (scan_engine) | yes (vendor) | n/a | `service.target.name` | yes | ← embedded scan entity `entity_type` (`default.yml:217–221`); detection engine invoked |
+| `checkpoint_email.event.data` (embedded entities) | 2–3 | general (varies) | yes (vendor) | n/a | `entity.target.*` / `user.target.*` | yes | Unparsed targets: `google_mail_email` / `office365_emails_email` (messages), `google_event_login` / `office365_mgmnt_event` (sessions), `av_dns_info` (shadow IT), `avanan_dlp` (DLP engine). Only email-threat/geo patterns grok-parsed |
+| `checkpoint_email.event.actions`, `.available_event_actions` | 3 | general (remediation_action) | yes (vendor) | n/a | context | no | Performed/available analyst actions tied to `related_entity_id` |
+| `organization.name` | — | general (organization) | yes | n/a | context-only | no | Customer tenant scope; not granular target |
+| `event.url` | 2 | general (portal_link) | yes | yes | context | no | ← `checkpoint_email.event.entity_link`; portal deep link to inspected entity |
+| `user.email` (geo anomaly) | 2 | user | yes | partial | `user.target.email` | yes | O365 geo anomaly: affected user who logged in (`default.yml:278–303`). Semantically the **subject of the anomaly** (target) but stored in actor field set `user.*` — actor/target field-set tension |
+| `observer.vendor`, `observer.product` | 1 | service | yes | n/a | context-only | no | Detection platform identity; observer, not acted-upon target |
+
+### Gaps and mapping notes
+
+- **`event.action` gap:** Vendor `json.type` → `checkpoint_email.event.type` names the detection operation (`phishing`, `dlp`, `anomaly`, …) but is never copied to ECS `event.action`. **Primary enhancement:** map `checkpoint_email.event.type` → `event.action` for all alert events. For O365 geo anomalies, also consider `checkpoint_email.event.user.action` (`logged in`) as a secondary or stream-specific action. Remediation verbs in `checkpoint_email.event.actions.action_type` are a separate action layer — do not conflate with detection type.
+- **No official ECS target fields:** Aligns with `target_enhancement_packages.csv` (`strong_candidate`, all ECS target tiers false). Primary enhancement path: promote de-facto targets to `user.target.*` and `entity.target.id`.
+- **`destination.user.*` is the primary de-facto user target** for email-threat events — grok extracts the mailbox owner from "X's mailbox" text in `data`, not from network flow semantics. **Listed in `destination_identity_hits.csv`**. Mapping is **correct** for phishing, spam, malware, malicious_url, and M365 attachment events. **`Enhancement candidate: yes`** → migrate to `user.target.email` / `.name` / `.domain`.
+- **User-reported phishing conflates actor and target:** Grok pattern for `^User #... reported a phishing email` places the **reporter** in `_temp.destination_user` → `destination.user.*` (`default.yml:202`). The reporter is semantically the **actor**; the reported message (`email.subject`, `entity_id`) is the target. **`Mapping correct? no`** for `destination.user.*` on `type=alert` events. Consider routing reporter to `user.*` / `source.user.*` and leaving `destination.user.*` empty or mapping a distinct recipient if available.
+- **`user.email` on geo anomaly holds target semantics in actor field set:** O365 geo pattern maps the affected login user to `user.*` (`default.yml:292–303`), not `user.target.*` or `destination.user.*`. The user is the **subject of the detection** (Layer 2 target), not the initiator — partial actor/target conflation.
+- **Google geo-suspicious and shadow IT actors remain vendor-only:** `sunny@example.io` (Google geo login) and `john@example.com` (shadow IT) appear only in `checkpoint_email.event.data` embedded `google_user` entities — no ECS `user.*` promotion despite being the human subject of the alert.
+- **DLP events often lack parsed recipient:** When `data` is empty or does not match grok patterns, leaker may appear only in `description`/`message` and sender in `source.user.*` (`alice@example.io`, `sandy@example.io` fixtures); `destination.user.*` not populated.
+- **`related.user` aggregates actor and target identities** (sender, recipient, geo user) without role distinction — useful for correlation but not for actor/target analytics.
+- **`checkpoint_email.event.saas` identifies Layer 1 protected platform** (`google_mail`, `office365_emails`) but is not mapped to `cloud.service.name` — enhancement candidate for SaaS target service identity.
+- **Vendor-only target identity in `checkpoint_email.event.data`:** Login sessions (`google_event_login`, `office365_mgmnt_event`), shadow IT domains (`av_dns_info`), and DLP engine references (`avanan_dlp`) are best sources for future `entity.target.*` / `service.target.*` migration.
+- **Alignment with target-fields audit:** `strong_candidate` with `pipeline_dest_identity=true` and `pipeline_actor=true` matches evidence — rich sender/recipient identity via `source.user.*` and `destination.user.*`, zero official `*.target.*` fields, strong fixture coverage for de-facto targets.
+
+### Per-stream notes
+
+- **`checkpoint_email.event`:** Single stream; all event types share one pipeline. Email-borne threats (`phishing`, `spam`, `malware`, `malicious_url`, `suspicious_phishing`) consistently populate `source.user.*` (sender) and `destination.user.*` (mailbox owner) when grok matches; **`checkpoint_email.event.type`** holds the detection action (`phishing`, `spam`, …) but **`event.action` is empty**. **`anomaly`** splits: O365 geo → `user.*` + `checkpoint_email.event.user.action: logged in`; Google geo-suspicious → vendor-only in `data` with embedded `login_success`. **`shadow_it`** → external app in `data`, SaaS user vendor-only, system noreply as `source.user.*`. **`dlp`** → sender often mapped; recipient/subject parsing depends on `data` content. **`alert`** (user-reported) → reporter wrongly in `destination.user.*`. Remediation history in `checkpoint_email.event.actions` (e.g. `quarantine_email`) when state is `remediated`. No metrics or inventory streams — all events are detection alerts with `event.kind: alert`.
+
+## Example Event Graph
+
+All examples come from the single **`checkpoint_email.event`** stream (`packages/checkpoint_email/data_stream/event/`). These are **audit-adjacent security detection alerts** — threat, DLP, anomaly, and shadow-IT findings from the Harmony Smart API, not admin audit logs. **`event.action` is absent in all fixtures**; detection category is read from `checkpoint_email.event.type`.
+
+### Example 1: Phishing email to mailbox
+
+**Stream:** `checkpoint_email.event` · **Fixture:** `packages/checkpoint_email/data_stream/event/_dev/test/pipeline/test-event.log-expected.json` (event `abaabcdef01234567894115b9e64da71`)
+
+```
+info@example.in → phishing → alex@example.com (mailbox)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | info@example.in |
+| name | info |
+| type | user |
+
+**Field sources:**
+
+- `id` ← `source.user.email` ← `checkpoint_email.event.sender_address`
+- `name` ← `source.user.name` (dissect from sender address)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | phishing |
+| source_field | `checkpoint_email.event.type` |
+| source_value | `phishing` |
+
+**Not mapped to ECS `event.action` today** — vendor detection type only.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | alex@example.com |
+| name | alex |
+| type | user |
+| sub_type | email_recipient |
+
+**Field sources:**
+
+- `id` ← `destination.user.email` ← grok `_temp.destination_user` on `checkpoint_email.event.data` ("alex@example.com's mailbox")
+- `name` ← `destination.user.name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: info@example.in"] --> E["phishing"]
+  E --> T["Target: alex@example.com"]
+```
+
+### Example 2: Shadow IT — unauthorized SaaS app
+
+**Stream:** `checkpoint_email.event` · **Fixture:** `packages/checkpoint_email/data_stream/event/sample_event.json`
+
+```
+john@example.com → shadow_it → google.com (Search Engine)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | john@example.com |
+| name | john@example.com |
+| type | user |
+
+**Field sources:**
+
+- `id`, `name` ← embedded `google_user` label in `checkpoint_email.event.data` — **not promoted to ECS `user.*` or `source.user.*`**; `source.user.*` holds the automated noreply envelope (`google-workspace-alerts-noreply@google.com`), not the human subject.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | shadow_it |
+| source_field | `checkpoint_email.event.type` |
+| source_value | `shadow_it` |
+
+**Not mapped to ECS `event.action` today.**
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | google.com |
+| name | google.com (Search Engine) |
+| type | general |
+| sub_type | saas_application |
+
+**Field sources:**
+
+- `id`, `name` ← embedded `av_dns_info` label in `checkpoint_email.event.data`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: john@example.com"] --> E["shadow_it"]
+  E --> T["Target: google.com"]
+```
+
+### Example 3: O365 geo-login anomaly
+
+**Stream:** `checkpoint_email.event` · **Fixture:** `packages/checkpoint_email/data_stream/event/_dev/test/pipeline/test-event.log-expected.json` (event `ae5ce6faee2541898877dec2779ebc42`)
+
+```
+user@example.com → anomaly → login session (office365_emails)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | user@example.com |
+| name | user |
+| type | user |
+| geo | New Zealand |
+
+**Field sources:**
+
+- `id` ← `user.email` ← grok `_temp.user_address` on `checkpoint_email.event.data` → `checkpoint_email.event.user.address`
+- `name` ← `user.name`
+- `geo` ← `checkpoint_email.event.user.country`
+
+The affected user is also the **subject of the detection** (Layer 2 target semantics) but is stored in the actor field set `user.*`, not `destination.user.*` or `user.target.*`.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | anomaly |
+| source_field | `checkpoint_email.event.type` |
+| source_value | `anomaly` |
+
+**Not mapped to ECS `event.action` today.** Embedded login verb `logged in` is available in `checkpoint_email.event.user.action` but is not the primary detection category.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 61a845f1-ec40-4097-93d5-b482dc50820c |
+| name | office365_emails |
+| type | service |
+
+**Field sources:**
+
+- `id` ← `checkpoint_email.event.entity_id` (SaaS login/management event)
+- `name` ← `checkpoint_email.event.saas`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: user@example.com"] --> E["anomaly"]
+  E --> T["Target: office365_emails login session"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `checkpoint_email`, single `data_stream/event` with Tier A fixtures and ingest pipeline). Query-time extraction routes on **`data_stream.dataset == "checkpoint_email.event"`**; secondary discriminator **`checkpoint_email.event.type`** guards actor/target conflation (user-reported `alert`, geo `anomaly`). Pass 4 is **fill-gaps-only**: detection flags run first; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` — not `CASE(actor_exists|target_exists|action_exists, <col>, …)` — so `source.user.email` setting `actor_exists` does not block `user.email` fallbacks when `user.email` is empty (Pass 4 §10). Email-threat events promote **`destination.user.*`** (de-facto mailbox owner) to **`user.target.*`** when `type` is not `alert`. Ingest does not populate ECS `*.target.*` or `event.action` today.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `checkpoint_email.event` | Detection alerts (all `checkpoint_email.event.type` values) | user / service (noreply envelope) | user (mailbox), service (geo), general (entity/message) | partial — type-guarded |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.email` | `user.email` | `… AND checkpoint_email.event.type == "anomaly"` | high | **ingest-only — no ES\|QL** — O365 geo (`default.yml:292–296`); preserve via `actor_exists` only |
+| `user.email` | `source.user.email` | `… AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp")` | high | **vendor fallback** — sender/leaker at ingest |
+| `user.email` | `destination.user.email` | `… AND checkpoint_email.event.type == "alert"` | medium | **de-facto destination.*** — reporter wrongly in `destination.user.*`; promote to actor only when `user.email` / `source.user.email` empty |
+| `user.name` | `user.name` | `… AND checkpoint_email.event.type == "anomaly"` | high | **ingest-only — no ES\|QL** — dissect from `user.email` at ingest; preserve via `actor_exists` only |
+| `user.name` | `source.user.name` | `… AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp")` | high | **vendor fallback** |
+| `user.name` | `destination.user.name` | `… AND checkpoint_email.event.type == "alert"` | medium | reporter display name |
+| `user.domain` | `user.domain` | `… AND checkpoint_email.event.type == "anomaly"` | high | **ingest-only — no ES\|QL** — dissect from `user.email` at ingest; preserve via `actor_exists` only |
+| `user.domain` | `source.user.domain` | `… AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp")` | high | **vendor fallback** |
+| `user.domain` | `destination.user.domain` | `… AND checkpoint_email.event.type == "alert"` | medium | reporter domain |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.target.email` | `destination.user.email` | `… AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert"` | high | **de-facto destination.*** — mailbox owner; excludes user-reported `alert` |
+| `user.target.name` | `destination.user.name` | same | high | **de-facto destination.*** |
+| `user.target.domain` | `destination.user.domain` | same | high | **de-facto destination.*** |
+| `entity.target.id` | `checkpoint_email.event.entity_id` | `… AND checkpoint_email.event.entity_id IS NOT NULL` | high | **vendor fallback** — SaaS entity / portal correlation |
+| `entity.target.name` | `email.subject` | `… AND email.subject IS NOT NULL` | high | **vendor fallback** — message artifact (Pass 3 Layer 3) |
+| `entity.target.type` | literals | email-threat types → `"user"`; `anomaly` → `"service"`; `shadow_it` → `"general"` | medium | **semantic literal** in fallback only |
+| `entity.target.sub_type` | `"email_recipient"` | email-threat types with `destination.user.email` | high | **semantic literal** — Pass 3 mailbox target |
+| `service.target.name` | `checkpoint_email.event.saas` | `… AND checkpoint_email.event.type == "anomaly"` | high | **vendor fallback** — protected SaaS on geo alerts (Pass 3 example 3) |
+
+**Omitted (Gaps):** `user.target.*` for `type=alert` (reporter conflation); `user.target.*` for `anomaly` (affected user stays in `user.*` per ingest); `service.target.name` on email-threat rows (Pass 3 user mailbox target); shadow IT / Google geo actors (vendor-only in `data`).
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.email IS NOT NULL OR user.name IS NOT NULL OR user.domain IS NOT NULL
+    OR source.user.email IS NOT NULL OR source.user.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL OR entity.target.type IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` includes **`source.user.*`** because email-threat senders are indexed there, not under `user.*`. No ECS `*.target.*` at ingest — `target_exists` is false on Tier A fixtures; de-facto `destination.user.*` → `user.target.*` applies in fallback branches only. Actor/target/action `EVAL` blocks use **column-level** preserve — not `CASE(actor_exists, user.email, …)` / `CASE(target_exists, user.target.email, …)` / `CASE(action_exists, event.action, …)`.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.email IS NOT NULL, user.email, source.user.email, null)` (4 args — `source.user.email` is a **condition**). Wrong: `CASE(actor_exists, user.email, …, source.user.email, null)` — when `actor_exists` is true from `source.user.email` but `user.email` is empty, preserve returns null. Right: **5-arg** / **7-arg** `CASE(user.email IS NOT NULL, user.email, data_stream.dataset == "checkpoint_email.event" AND … AND source.user.email IS NOT NULL, source.user.email, null)`. `actor_exists` / `target_exists` / `action_exists` are helpers only — not first `CASE` branches on mapped columns.
+
+### Optional classification helpers (when needed)
+
+`entity.target.type` and `entity.target.sub_type` are set in the **target** `EVAL` fallback branch only (never `target.entity.type`).
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.email IS NOT NULL, source.user.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.email IS NOT NULL, destination.user.email,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.name IS NOT NULL, source.user.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.name IS NOT NULL, destination.user.name,
+    null
+  ),
+  user.domain = CASE(
+    user.domain IS NOT NULL, user.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.domain IS NOT NULL, source.user.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.domain IS NOT NULL, destination.user.domain,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+`event.action` is absent in all Tier A fixtures; fallback maps vendor detection category.
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IS NOT NULL, checkpoint_email.event.type,
+    null
+  )
+```
+
+Remediation verbs in `checkpoint_email.event.actions.action_type` remain a separate layer (Pass 2) — not wired here to avoid overriding detection `type`.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.email IS NOT NULL, destination.user.email,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.name IS NOT NULL, destination.user.name,
+    null
+  ),
+  user.target.domain = CASE(
+    user.target.domain IS NOT NULL, user.target.domain,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.domain IS NOT NULL, destination.user.domain,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.entity_id IS NOT NULL, checkpoint_email.event.entity_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "checkpoint_email.event" AND email.subject IS NOT NULL, email.subject,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing"), "user",
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly", "service",
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "shadow_it", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND destination.user.email IS NOT NULL, "email_recipient",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly" AND checkpoint_email.event.saas IS NOT NULL, checkpoint_email.event.saas,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.email IS NOT NULL OR user.name IS NOT NULL OR user.domain IS NOT NULL
+    OR source.user.email IS NOT NULL OR source.user.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL OR entity.target.type IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.email = CASE(user.email IS NOT NULL, user.email, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.email IS NOT NULL, source.user.email, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.email IS NOT NULL, destination.user.email, null),
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.name IS NOT NULL, source.user.name, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.name IS NOT NULL, destination.user.name, null),
+  user.domain = CASE(user.domain IS NOT NULL, user.domain, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing", "dlp") AND source.user.domain IS NOT NULL, source.user.domain, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "alert" AND destination.user.domain IS NOT NULL, destination.user.domain, null)
+| EVAL
+  event.action = CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IS NOT NULL, checkpoint_email.event.type, null)
+| EVAL
+  user.target.email = CASE(user.target.email IS NOT NULL, user.target.email, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.email IS NOT NULL, destination.user.email, null),
+  user.target.name = CASE(user.target.name IS NOT NULL, user.target.name, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.name IS NOT NULL, destination.user.name, null),
+  user.target.domain = CASE(user.target.domain IS NOT NULL, user.target.domain, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND checkpoint_email.event.type != "alert" AND destination.user.domain IS NOT NULL, destination.user.domain, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.entity_id IS NOT NULL, checkpoint_email.event.entity_id, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "checkpoint_email.event" AND email.subject IS NOT NULL, email.subject, null),
+  entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing"), "user", data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly", "service", data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "shadow_it", "general", null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type IN ("phishing", "spam", "malware", "malicious_url", "suspicious_phishing") AND destination.user.email IS NOT NULL, "email_recipient", null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "checkpoint_email.event" AND checkpoint_email.event.type == "anomaly" AND checkpoint_email.event.saas IS NOT NULL, checkpoint_email.event.saas, null)
+| KEEP @timestamp, data_stream.dataset, event.action, checkpoint_email.event.type, user.email, user.name, user.domain, user.target.email, user.target.name, user.target.domain, entity.target.id, entity.target.name, entity.target.type, entity.target.sub_type, service.target.name, email.subject
+```
+
+### Streams excluded
+
+None — single detection-alert stream; no metrics or inventory datasets.
+
+### Gaps and limitations
+
+- **`type=alert` user-reported phishing:** Ingest maps reporter to `destination.user.*` (Pass 2 **Mapping correct? no**); Pass 4 promotes reporter to `user.email` in actor fallback and **excludes** `destination.user.*` → `user.target.*` — reported message remains `entity.target.id` / `email.subject`.
+- **Geo `anomaly`:** Affected user stays in `user.*` (ingest); target is `service.target.name` + `entity.target.id` per Pass 3 — not duplicated to `user.target.*`. Actor `user.email` / `user.name` / `user.domain` are **ingest-only — no ES|QL** fallback (no alternate query-time source; `actor_exists` preserves ingest values).
+- **Shadow IT / Google geo actors:** Human subjects only in `checkpoint_email.event.data` — no fixture-grounded `user.*` fallback.
+- **DLP recipient:** `destination.user.*` often absent when grok fails — `user.target.*` omitted for those rows.
+- **`checkpoint_email.event.actions.action_type`:** Remediation array not mapped to `event.action` (separate from detection `type`).
+- **Ingest enhancement preferred:** Promote `destination.user.*` → `user.target.*` and `checkpoint_email.event.type` → `event.action` at pipeline time; this block is query-time fill-gaps only.
+- **Pass 4 CASE syntax** — combined actor/action/target blocks and the full pipeline fragment use column-level **5-arg** / **7-arg** / **9-arg** `CASE(<col> IS NOT NULL, <col>, …)` with trailing `null`; never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` or `CASE(actor_exists|target_exists|action_exists, <col>, …)` where a bare field parses as a boolean condition. `actor_exists` / `target_exists` / `action_exists` are detection helpers only.
diff --git a/dev/domain/p1/cisco_meraki.md b/dev/domain/p1/cisco_meraki.md
new file mode 100644
index 00000000000..3f8ac64e0aa
--- /dev/null
+++ b/dev/domain/p1/cisco_meraki.md
@@ -0,0 +1,562 @@
+# cisco_meraki
+
+## Product Domain
+
+Cisco Meraki is a cloud-managed networking platform that delivers secure, scalable, and centrally administered networks through an out-of-band cloud architecture. Organizations deploy Meraki hardware—MX Security Appliances (firewall/SD-WAN/VPN), MR wireless access points, MS switches, MV cameras, and related devices—and manage them from the Meraki Dashboard web UI or mobile app rather than per-device CLI configuration. Policy, firmware, monitoring, and alerting are orchestrated from the cloud, making Meraki a core product in the cloud-managed networking and SASE-adjacent security domain.
+
+MX appliances provide perimeter firewalling, intrusion detection/prevention, content filtering, site-to-site and client VPN (including AnyConnect), SD-WAN, and cellular failover. MR access points deliver enterprise Wi-Fi with 802.1X, WPA, splash authentication, and AirMarshal wireless security. MS switches handle Layer-2/Layer-3 switching with port-level visibility. Each Meraki network generates operational and security telemetry that security and network teams use for threat detection, access troubleshooting, VPN monitoring, wireless forensics, and compliance auditing across distributed sites.
+
+## Data Collected (brief)
+
+This integration collects Cisco Meraki telemetry through two data streams. The **log** stream (`cisco_meraki.log`) ingests syslog from MX Security Appliances and MR Access Points via Elastic Agent **UDP**, **TCP**, or **logfile** input. Parsed event types include **firewall/flow** logs (L3 allow/deny, VPN/cellular/bridge flows), **IP flow** start/end, **security/IDS** events (signature matches, file scanning, disposition changes), **URL** filtering, **AirMarshal** wireless threats (rogue SSID, spoofing, packet floods), **Wi-Fi** association/disassociation and **802.1X/WPA/splash** authentication, **AnyConnect/client VPN** sessions, **site-to-site VPN** connectivity changes, and general **events** (DHCP, port status, DFS, martian VLAN). Events are mapped to ECS with source/destination/client network fields and GeoIP enrichment.
+
+The **events** stream (`cisco_meraki.events`) receives Meraki Dashboard **webhook** alerts over HTTPS via Elastic Agent **http_endpoint** input. Payloads include organization, network, and device context (IDs, names, tags, URLs), alert type/level, timestamps, and type-specific `alertData` (e.g., cellular failover, settings changes, usage alerts). MS switch syslog is not recognized by the log parser.
+
+## Expected Audit Log Entities
+
+Meraki telemetry spans two streams: **`log`** (MX/MR syslog — flows, IDS, URL filtering, Wi-Fi auth, VPN, AirMarshal) and **`events`** (Dashboard webhook alerts). Both are **audit-adjacent network and device telemetry**, not SaaS admin-audit logs — there is no Dashboard user/principal who changed a setting in syslog output. Authentication-adjacent events (802.1X, WPA, splash, VPN) carry **user** actors; most traffic/security events identify **host** endpoints by IP/MAC. The reporting appliance is always **`observer.*`** (log source), not the traffic actor. **No ECS `*.target.*` fields** are populated (`dev/target-fields-audit/out/target_fields_audit.csv` — no rows for this package). The target-fields audit classified this package as **`moderate_candidate_network_dest`** with **`pipeline_dest_network=true`**, **`pipeline_actor=true`**, and **`pipeline_dest_identity=false`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`); **`destination.user.*` / `destination.host.*`** are absent from pipelines and **`destination_identity_hits.csv`**.
+
+**`event.action` is populated on most `log` subtypes** via a centralized eventmap in `default.yml` (`cisco_meraki.event_subtype` → normalized action); unmapped subtypes fall back to the raw subtype string. **`ip_flow_start` / `ip_flow_end`** events have **no `event.action`** (no `event_subtype` set). The **`events`** webhook stream sets **`event.action`** from Dashboard **`alertType`** display text (e.g. `Cellular came up`). Evidence: `packages/cisco_meraki/data_stream/log/sample_event.json`, `data_stream/events/sample_event.json`, pipeline fixtures under `data_stream/log/_dev/test/pipeline/` and `data_stream/events/_dev/test/pipeline/`, and ingest pipelines `default.yml`, `flows.yml`, `ipflows.yml`, `urls.yml`, `security.yml`, `events.yml`, `airmarshal.yml`, `events/default.yml`.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `layer3-firewall-allowed-flow` | data_access | high | `test-flows.log-expected.json` `flow_allowed`; `default.yml:109-113` | **`log`** — L3 flow allow |
+| `layer3-firewall-denied-flow` | data_access | high | `default.yml:114-118`; eventmap entry | **`log`** — L3 flow deny (fixture sparse) |
+| `ip-session-initiated` | data_access | high | `test-flows.log-expected.json` `ip_session_initiated`; `default.yml:104-108` | **`log`** — session start on flows without allow/deny op |
+| `ids-signature-matched` | detection | high | `sample_event.json`, `test-security-events.log-expected.json`; `default.yml:131-134` | **`log`** — `security_event` and `ids-alerts` |
+| `malicious-file-actioned` | detection | high | EICAR fixture `test-security-events.log-expected.json`; `default.yml:135-139` | **`log`** — AMP file scan block |
+| `issued-retrospective-malicious-disposition` | detection | high | disposition-change fixture; `default.yml:140-144` | **`log`** — retrospective AMP disposition |
+| `http-access` / `http-access-error` | data_access | high | `test-urls.log-expected.json`; `default.yml:119-130` | **`log`** — URL filtering |
+| `rogue-ssid-detected` / `ssid-spoofing-detected` | detection | high | `test-airmarshal-events.log-expected.json`; `default.yml:205-208` | **`log`** — AirMarshal |
+| `wifi-wpa-authentication` / `wifi-8021x-auth` / `splash-authentication` | authentication | high | `test-events.log-expected.json` `wpa_auth`, `8021x_eap_success`, `splash_auth`; `default.yml:157-202` | **`log`** — Wi-Fi auth subtypes |
+| `wifi-wpa-failed-auth-or-deauth` / `wifi-8021x-failed-authentication-attempt` | authentication | high | `test-events.log-expected.json` `wpa_deauth`, `8021x_eap_failure`; `default.yml:164-177` | **`log`** — failed Wi-Fi auth |
+| `anyconnect_vpn_connect` / `anyconnect_vpn_disconnect` | authentication | high | `test-events.log-expected.json`; `default.yml:88-95` | **`log`** — AnyConnect session lifecycle |
+| `site-to-site-vpn` | configuration_change | partial | Mapped for `Site-to-Site VPN` **and** `client_vpn_connect` (`default.yml:84-103`) — conflates VPN types | **`log`** — VPN connectivity |
+| `vpn-connectivity-change` | configuration_change | high | `test-events.log-expected.json` `vpn_connectivity_change`; `default.yml:68-73` | **`log`** |
+| `dhcp-offer` / `dhcp-no-offer` | data_access | high | DHCP fixtures; `default.yml:74-83` | **`log`** |
+| `dynamic-frequency-selection-detected` | configuration_change | high | DFS fixture; `default.yml:214-215` | **`log`** |
+| Raw subtype fallback (`8021x_auth`, `martian_vlan`, `port_status_changed`, `arp_blocked`, `anyconnect_vpn_session_manager`, …) | varies | high | Unmapped in eventmap → `ctx.event.action = ctx.cisco_meraki.event_subtype` (`default.yml:222-224`); fixtures in `test-events.log-expected.json` | **`log`** — operational/device events without normalized labels |
+| Dashboard alert display text (`Cellular came up`, `Failover event detected`, `Insight Alert`) | configuration_change / detection | high | `events/sample_event.json`, `test-mx-events.json-expected.json`; `events/default.yml:231` | **`events`** — human-readable Meraki alert names |
+| *(absent)* | — | high | No `event.action` in `test-ip-flow.log-expected.json`; `ipflows.yml` does not set `event_subtype` | **`log`** — `ip_flow_start` / `ip_flow_end` gap |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` ← `cisco_meraki.event_subtype` via eventmap | yes (most `log` subtypes) | yes (mapped entries) | e.g. `ids-signature-matched`, `http-access`, `wifi-wpa-authentication` | no | `default.yml:62-241`; all `log` *-expected.json with action |
+| `event.action` ← raw `cisco_meraki.event_subtype` (fallback) | yes | partial | e.g. `8021x_auth`, `martian_vlan`, `port_status_changed` | yes — add eventmap entries for normalized labels | `default.yml:222-224`; `test-events.log-expected.json` |
+| `cisco_meraki.event_subtype` | indirect (source) | yes | Vendor canonical subtype before normalization | no | Set in sub-pipelines (`flows.yml`, `security.yml`, `events.yml`, …) |
+| `cisco_meraki.event_type` | no | n/a | e.g. `ip_flow_start`, `flows`, `security_event` — stream-level type, not per-event verb | yes — derive action for IP flows | `test-ip-flow.log-expected.json`; no `event.action` |
+| `cisco_meraki.firewall.action` | no | n/a | e.g. `allow`, `deny` — firewall rule outcome, not event verb | yes — could supplement `layer3-firewall-*-flow` | `flows.yml:18`; vendor-only in fixtures |
+| `cisco_meraki.security.action` | no | n/a | e.g. `block`, `allow` — AMP/IDS disposition on scan events | yes — distinct from subtype action | `security.yml:80`; `test-security-events.log-expected.json` |
+| `cisco_meraki.security.decision` | no | n/a | e.g. `blocked`, `allowed` — IDS decision | yes — enrichment, not primary action | `security.yml:51-52`; `sample_event.json` |
+| `cisco_meraki.anyconnect_vpn_session_manager.action` | no | n/a | e.g. `added tunnel`, `session disconnected` — granular VPN ops | yes — sub-action under session-manager subtype | `events.yml:357-381`; nested in fixtures |
+| `json.alertType` → `event.action` | yes | yes | e.g. `Cellular came up`, `Failover event detected` | no | `events/default.yml:231`; `events/sample_event.json` |
+| `json.alertTypeId` | no (drives category/type only) | n/a | e.g. `cellular_up`, `vrrp`, `settings_changed` — stable machine ID | yes — prefer as normalized `event.action` over display text | `events/default.yml:226-249`; webhook payload |
+| `client_vpn_connect` eventmap entry | yes | **no** | Maps to `site-to-site-vpn` instead of client-VPN-specific label | **yes** — fix eventmap action | `default.yml:96-103`; `test-events.log-expected.json` `client_vpn_connect` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Flow originator (internal/external endpoint) | host | — | high | `source.ip`, `source.port`, `source.mac` ← `src`/`sport`/`mac` (`flows.yml`; `test-flows.log-expected.json` `flow_allowed`); NAT at `source.nat.ip`/`source.nat.port` (`ipflows.yml`; `test-ip-flow.log-expected.json`) | **`log`** — `flows`, `ip_flow_start`, `ip_flow_end` |
+| HTTP/URL filtering client | host | — | high | `source.ip`, `source.port` ← `src` (`urls.yml`); client MAC vendor-only in `cisco_meraki.urls.mac` (`test-urls.log-expected.json` `http_access_error`) | **`log`** — `urls` |
+| IDS / security-event initiator | host | — | high | `source.ip`, `source.port` ← `src`/`sport` (`security.yml`, `idsalerts.yml`; `sample_event.json`, `test-security-events.log-expected.json` `ids_alerted`) | **`log`** — `security_event` |
+| File-scan downloading host | host | — | high | `source.ip`, `source.port`; MAC retained in `cisco_meraki.security.mac` only (`security.yml`; EICAR fixture in `test-security-events.log-expected.json`) | **`log`** — `security_filtering_file_scanned` |
+| Wireless client (association, WPA, splash) | host | — | high | `client.mac`; optional `client.ip` (`events.yml` ← `client_mac`/`client_ip`; `test-events.log-expected.json` `wpa_auth`, `splash_auth`) | **`log`** — Wi-Fi client events |
+| 802.1X authenticating user | user | — | high | `identity` → `user.name`/`user.email`/`user.domain` (`events.yml:254-257`); wireless client at `client.mac`, `client.ip` (`8021x_eap_success` fixture: `anonymous@gousto.co.uk`) | **`log`** — `8021x_*` subtypes |
+| VPN user (Client VPN / AnyConnect) | user | — | high | `user.name`/`user.email` ← `user id '…'` grok (`events.yml:307-409`); remote client endpoint at `client.ip` with GeoIP/ASN (`client_vpn_connect` `jwick@wwvpn.net`, AnyConnect connect/disconnect fixtures) | **`log`** — `client_vpn_connect`, `anyconnect_vpn_connect`, `anyconnect_vpn_disconnect` |
+| AnyConnect session-manager user | user | — | moderate | `cisco_meraki.anyconnect_vpn_session_manager.user_name` ← grok `User[…]` (`events.yml:337-345`); **not** copied to ECS `user.*` (session-manager fixtures in `test-events.log-expected.json`) | **`log`** — `anyconnect_vpn_session_manager` |
+| DHCP client | host | — | high | `client.mac`, `client.ip` on lease; MAC-only on no-offer (`events.yml:81-97`; `dhcp_offer`/`dhcp_no_offer` fixtures) | **`log`** — `dhcp_*` |
+| ARP offender | host | — | high | `source.mac`, `source.ip` ← grok on blocked ARP (`events.yml:121-143`; `arp_blocked` fixture) | **`log`** — `arp_blocked` |
+| Martian-VLAN misbehaving host | host | — | high | `client.ip`, `client.mac` ← `cisco_meraki.martian_vlan.Client`/`MAC` (`events.yml:422-439`) | **`log`** — `martian_vlan` (client detail) |
+| AirMarshal rogue/threat BSSID | host | — | high | `source.mac` ← `src`/`bssid` (`airmarshal.yml`; `test-airmarshal-events.log-expected.json` `rogue_ssid_detected`) | **`log`** — `airmarshal_events` |
+
+Operational events (DFS, port status, carrier change, Site-to-Site VPN raw, `vpn_connectivity_change`, martian_vlan summary) and **`events`** webhook alerts have **no distinct human or client actor** beyond the logging **`observer.*`** appliance identity.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.ip`, `source.port`, `source.mac` | Flow/IDS/URL initiator endpoint | yes | yes | high | `flows.yml`, `urls.yml`, `security.yml`; traffic fixtures |
+| `source.nat.ip`, `source.nat.port` | NAT'd flow originator | yes | yes | high | `ipflows.yml`; `test-ip-flow.log-expected.json` |
+| `client.ip`, `client.mac` | Wireless/DHCP/VPN remote client endpoint | yes | yes | high | `events.yml`; Wi-Fi, DHCP, VPN fixtures |
+| `user.name`, `user.email`, `user.domain` | 802.1X identity or VPN username | yes | yes | high | ← `identity` kv or `user id '…'` grok (`events.yml:254-498`); 802.1X and VPN fixtures |
+| `related.user` | Enrichment array for normalized user | yes | yes | high | Appends `user.name`/`user.email` (`events.yml:499-510`) |
+| `related.ip` | Enrichment array for endpoint IPs | yes | yes | high | Appends `source.ip`, `client.ip`, DHCP server IPs (`events.yml:511-519`, `282-298`) |
+| `cisco_meraki.anyconnect_vpn_session_manager.user_name` | VPN session user (vendor copy) | yes (vendor) | n/a | high | Grok from session-manager message; also present on connect/disconnect as ECS `user.*` — inconsistent |
+| `cisco_meraki.urls.mac`, `cisco_meraki.security.mac` | Client MAC on URL/file-scan events | yes (vendor) | n/a | moderate | Vendor-retained; not mapped to `client.mac` or `source.mac` |
+| `cisco_meraki.*.identity` (802.1X kv blobs) | Raw identity before ECS rename | yes (vendor) | n/a | high | Renamed to `user.name` when subtype matches 802.1X list |
+| `observer.hostname`, `observer.name`, `observer.serial_number`, `observer.product`, `observer.mac` | Reporting MX/MR/MV appliance | yes | yes | high | `default.yml` dissect; `events/default.yml` webhook mapping — **observer identity, not actor** |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 2 — Resource / object | Session remote peer (IP/port/NAT) | Remote host / server | host | — | high | `destination.ip`, `destination.port`, `destination.nat.*` ← `dst`/`dport` (`flows.yml`, `ipflows.yml`, `urls.yml`, `security.yml`); flow/URL/IDS fixtures | **`log`** — flows, URLs, IDS |
+| 2 — Resource / object | IDS victim / internal endpoint | Internal host | host | — | high | `destination.ip`, `destination.port` on ingress IDS; affected MAC in `cisco_meraki.security.dhost` (vendor only) (`sample_event.json`, `test-security-events.log-expected.json`) | **`log`** — `ids_alerted` |
+| 2 — Resource / object | VPN tunnel assignment / MX gateway | VPN service endpoint | host or service | — | high | `network.forwarded_ip` ← assigned tunnel IP; `observer.hostname` is enforcement MX (`events.yml`; AnyConnect/client VPN fixtures) | **`log`** — VPN connect/disconnect |
+| 2 — Resource / object | AnyConnect peer / assigned tunnel IP | Remote VPN endpoint | host | — | moderate | `cisco_meraki.anyconnect_vpn_session_manager.peer_ip`, `.ip` (filter apply); not mapped to ECS `destination.*` or `client.ip` | **`log`** — session-manager |
+| 2 — Resource / object | Wireless network segment (VAP/radio) | Wi-Fi SSID/VAP | service | — | medium | `cisco_meraki.*.vap`, `.radio` kv blobs; AP at `observer.hostname` — no ECS service target | **`log`** — WPA/802.1X/splash |
+| 2 — Resource / object | DHCP server (legitimate or rogue) | DHCP server | general | dhcp-server | high | `server.mac`/`server.ip` on lease; rogue `server_ip`/`server_mac` in `cisco_meraki.multiple_dhcp_servers_detected.*` (`events.yml`; DHCP fixtures) | **`log`** — `dhcp_*`, `multiple_dhcp_servers_detected` |
+| 2 — Resource / object | Protected VLAN segment | VLAN | general | vlan-segment | medium | `observer.ingress.vlan.id` (ARP block); `cisco_meraki.martian_vlan.VLAN` (martian VLAN) | **`log`** — `arp_blocked`, `martian_vlan` |
+| 2 — Resource / object | AirMarshal observed wireless MAC | Wireless peer/victim | host | — | high | `destination.mac` ← `dst` (`airmarshal.yml`; rogue SSID fixtures) | **`log`** — `airmarshal_events` |
+| 2 — Resource / object | Alerted Meraki device / network | Managed device or site | general | device / network | high | `observer.name`, `.serial_number`, `.product`, `.mac`; `network.name`, `organization.id`/`organization.name` (`events/default.yml`; `sample_event.json`, `test-mx-events.json-expected.json`) | **`events`** — webhook alerts |
+| 2 — Resource / object | Site-to-Site VPN peer | Remote VPN gateway | host or service | — | low | Raw peer info in `cisco_meraki.site_to_site_vpn.raw` or `.connectivity_change.*` — not parsed to ECS | **`log`** — Site-to-Site VPN, `vpn_connectivity_change` |
+| 3 — Content / artifact | Requested URL / web resource | HTTP URL | general | url | high | `url.domain`, `url.original`, `url.path`, `url.scheme` ← `uri_parts` on request URL (`urls.yml`; bitbucket.org fixture) | **`log`** — `urls` |
+| 3 — Content / artifact | Malicious / scanned file | File object | general | file | high | `file.name`, `file.hash.sha256` ← `name`/`sha256` (`security.yml`; EICAR and disposition-change fixtures) | **`log`** — file scan / disposition change |
+| 3 — Content / artifact | IDS signature / alert message | Detection rule | general | ids_signature | high | `message`, `cisco_meraki.security.signature`; `event.action` e.g. `ids-signature-matched` | **`log`** — IDS |
+
+Layer 1 (invoked cloud/SaaS platform) does not apply in ECS — Meraki Dashboard is the management plane but webhook alerts do not record **who** triggered a change, only **what device/network** changed state.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `destination.ip`, `destination.port`, `destination.nat.ip`, `destination.nat.port` | 2 | host | yes | partial | context-only (network peer) | no | ← `dst`/`dport`/NAT kv (`flows.yml`, `ipflows.yml`, `urls.yml`, `security.yml`); correct for flow semantics, not audit `host.target.*` |
+| `destination.mac` | 2 | host | yes | partial | `host.target.mac` | yes | ← `dst` on AirMarshal (`airmarshal.yml`); wireless peer MAC — network-context destination, semantically a target endpoint |
+| `network.forwarded_ip` | 2 | host | yes | partial | `host.target.ip` | yes | Assigned VPN tunnel IP (`events.yml`); tunnel resource on MX, not generic destination peer |
+| `network.protocol`, `network.vlan.id` | 2 | service | yes | yes | context-only | no | Protocol/VLAN context on flows, IDS, AirMarshal |
+| `url.*` | 3 | general | yes | yes | context-only | no | `uri_parts` on URL request (`urls.yml`, `security.yml`) |
+| `file.name`, `file.hash.sha256` | 3 | general | yes | yes | context-only | no | File-scan and disposition-change events (`security.yml`) |
+| `server.ip`, `server.mac` | 2 | general | yes | yes | `service.target.name` | yes | DHCP server identity on lease/rogue-server events (`events.yml`) |
+| `observer.ingress.vlan.id` | 2 | general | yes | yes | context-only | no | Protected VLAN on ARP block (`events.yml:124`) |
+| `cisco_meraki.security.dhost` | 2 | host | yes (vendor) | n/a | `host.target.mac` | **yes** | IDS victim MAC; vendor-only while `destination.ip` holds IP peer |
+| `cisco_meraki.*.vap`, `.radio`, `.channel` | 2 | service | yes (vendor) | n/a | `service.target.name` | yes | Wireless segment context; vendor-only |
+| `cisco_meraki.anyconnect_vpn_session_manager.peer_ip`, `.ip`, `.tunnel_id` | 2 | host / service | yes (vendor) | n/a | `host.target.ip` / `service.target.entity.id` | **yes** | VPN peer and tunnel metadata; not ECS-mapped |
+| `cisco_meraki.site_to_site_vpn.raw`, `.connectivity_change.*` | 2 | host or service | yes (vendor) | n/a | `host.target.ip` | yes | Site-to-Site VPN peer context; unparsed |
+| `cisco_meraki.martian_vlan.VLAN`, `.details` | 2 | general | yes (vendor) | n/a | context-only | no | VLAN segment violation context |
+| `cisco_meraki.event.alertData.*` (`local`, `remote`, `connection`, …) | 2 | host | yes (vendor) | n/a | `host.target.ip` | yes | Webhook type-specific endpoints; flattened vendor-only (`sample_event.json` cellular_up) |
+| `observer.name`, `observer.serial_number`, `network.name`, `organization.id` | 2 | general | yes | n/a | context-only | no | Alerted device/network scope (`events/default.yml`); observer is log source, network/org is tenancy scope |
+
+### Gaps and mapping notes
+
+- **No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`** — target-fields audit confirms zero official target fields; enhancement priority is **`moderate_candidate_network_dest`** (network `destination.*` only, no `destination.user.*`).
+- **`destination.ip`/`destination.port`** on flows, URLs, and IDS are **network session peers**, not de-facto audit user/host targets — unlike email/auth integrations, Meraki does not reuse `destination.user.*` for identity (`destination_identity_hits.csv` — no rows for this package).
+- **`cisco_meraki.security.dhost`** holds the IDS **victim MAC** but is not copied to `host.target.mac` or `destination.mac` — best vendor source for Layer 2 host target enhancement.
+- **`cisco_meraki.anyconnect_vpn_session_manager.user_name`** and **`peer_ip`** are parsed to vendor fields only; connect/disconnect subtypes for the same user **do** map to ECS `user.*`/`client.ip` — inconsistent actor mapping across VPN event shapes.
+- **`client.mac`** on 802.1X/WPA events is the **wireless client host** (actor-side endpoint); **`user.*`** from `identity` is the **authenticating user** — distinct roles, correctly not conflated, but neither maps to `*.target.*`.
+- **`user.name` → `user.email` rename** when `@` present (`events.yml:481-485`) is semantically correct for email-style VPN/802.1X identities.
+- **Webhook `events` stream** retains rich device/network target context under **`cisco_meraki.event.*`** and **`observer.*`** but records **no Dashboard admin actor** — settings-change alerts (`settings_changed`) describe configuration impact on `observer.name`, not who changed it.
+- **`organization.*`** and **`network.name`** are tenancy/scope context, not actors or granular targets.
+- **`related.user`** and **`related.ip`** aggregate identities without distinguishing actor vs target roles.
+- **`event.action` gaps:** **`ip_flow_start` / `ip_flow_end`** have no action — recommend mapping from `cisco_meraki.event_type` (e.g. `ip-flow-start`, `ip-flow-end`). **`client_vpn_connect`** incorrectly maps to `site-to-site-vpn` in eventmap (`default.yml:96-103`). ~15 operational subtypes use **raw subtype fallback** (`8021x_auth`, `martian_vlan`, `port_status_changed`, …) — add eventmap entries for consistent normalized actions. **`cisco_meraki.security.action`** / **`decision`** and **`anyconnect_vpn_session_manager.action`** capture secondary verbs but stay vendor-only. Webhook stream uses display **`alertType`** strings; **`alertTypeId`** would be a more stable normalized action source.
+
+### Per-stream notes
+
+#### `log` — flows / IP flows (`cisco_meraki.event_type=flows`)
+
+Default actor is the **flow originator** (`source.ip`, optional `source.mac`, NAT fields). Primary target is the **session peer** (`destination.ip`/`port`). Actions: **`layer3-firewall-allowed-flow`**, **`layer3-firewall-denied-flow`**, or **`ip-session-initiated`** via eventmap. Audit-adjacent allow/deny telemetry, not admin audit.
+
+#### `log` — IP flows (`ip_flow_start` / `ip_flow_end`)
+
+Session timing telemetry with source/destination NAT fields. **`event.action` absent** — only `cisco_meraki.event_type` distinguishes start vs end.
+
+#### `log` — URLs / security / AirMarshal
+
+URL events: **host actor** at `source.*`, Layer 3 **url.*** target plus remote server at `destination.ip`; actions **`http-access`** / **`http-access-error`**. IDS: **external source** → **internal destination** on ingress; action **`ids-signature-matched`**; victim MAC only in **`cisco_meraki.security.dhost`**. AirMarshal: rogue BSSID as **`source.mac`**, observed peer as **`destination.mac`**; actions **`rogue-ssid-detected`** / **`ssid-spoofing-detected`**.
+
+#### `log` — events (Wi-Fi, VPN, DHCP, operational)
+
+802.1X/VPN subtypes populate **`user.*`** (actor) and **`client.*`** (endpoint) with auth actions (`wifi-8021x-auth`, `anyconnect_vpn_connect`, …). VPN adds **`network.forwarded_ip`** as tunnel-assignment target. Session-manager messages keep user/peer in **vendor fields only** with raw subtype action. Operational subtypes (port, DFS, carrier) target local hardware via **`cisco_meraki.*`** blobs and raw subtype actions.
+
+#### `events` — Dashboard webhooks
+
+Device/network **state-change alerts** — target is the **`observer.*`** appliance and optional **`cisco_meraki.event.alertData.*`** endpoints. **`event.action`** = Dashboard **`alertType`** display string (e.g. `Cellular came up`). No caller/principal actor; not equivalent to Meraki Dashboard audit logs API.
+
+## Example Event Graph
+
+The examples below come from the **`log`** syslog stream (MX/MR security and authentication telemetry) and the **`events`** Dashboard webhook stream. These are audit-adjacent network and device events — not Meraki Dashboard admin audit logs. Syslog events carry endpoint or user actors; webhook alerts report appliance state changes without a Dashboard principal.
+
+### Example 1: Ingress IDS signature match
+
+**Stream:** `cisco_meraki.log` · **Fixture:** `packages/cisco_meraki/data_stream/log/sample_event.json`
+
+```
+Host (67.43.156.12, Bhutan) → ids-signature-matched → Host (10.0.3.162)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 67.43.156.12 |
+| type | host |
+| geo | Bhutan |
+| ip | 67.43.156.12 |
+
+**Field sources:**
+- `id`, `ip` ← `source.ip`
+- `geo` ← `source.geo.country_name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ids-signature-matched |
+| source_field | `event.action` |
+| source_value | ids-signature-matched |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 10.0.3.162 |
+| type | host |
+| ip | 10.0.3.162 |
+
+**Field sources:**
+- `id`, `ip` ← `destination.ip`
+- Victim MAC `D0-AB-D5-7B-43-73` is in `cisco_meraki.security.dhost` only (not copied to ECS `destination.mac` or `host.target.*`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 67.43.156.12 (Bhutan)"] --> E["ids-signature-matched"]
+  E --> T["Target: 10.0.3.162"]
+```
+
+### Example 2: 802.1X Wi-Fi authentication success
+
+**Stream:** `cisco_meraki.log` · **Fixture:** `packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json` (event at `@timestamp` 2021-12-10T10:41:01.230Z)
+
+```
+User (anonymous@gousto.co.uk) → wifi-8021x-auth → Wi-Fi VAP (radio 1, vap 3)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | anonymous@gousto.co.uk |
+| name | anonymous |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.email`
+- `name` ← `user.name`
+- Wireless client endpoint `54-8D-5A-EA-30-E9` ← `client.mac` (`client.ip` is `0.0.0.0` in fixture)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | wifi-8021x-auth |
+| source_field | `event.action` |
+| source_value | wifi-8021x-auth |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 3 |
+| name | VAP 3 (radio 1) |
+| type | service |
+| sub_type | wifi_vap |
+
+**Field sources:**
+- `id` ← `cisco_meraki.8021x_eap_success.vap`
+- `name` ← composed from `cisco_meraki.8021x_eap_success.vap`, `cisco_meraki.8021x_eap_success.radio`
+- Reporting AP is `observer.hostname` (`1_2_AP_1`) — log source, not the authentication target
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: anonymous@gousto.co.uk"] --> E["wifi-8021x-auth"]
+  E --> T["Target: VAP 3 (radio 1)"]
+```
+
+### Example 3: Dashboard cellular failover alert
+
+**Stream:** `cisco_meraki.events` · **Fixture:** `packages/cisco_meraki/data_stream/events/sample_event.json`
+
+```
+(no actor) → Cellular came up → MX appliance (My appliance)
+```
+
+#### Actor
+
+No distinct actor in this fixture — Meraki Dashboard webhooks describe device/network state changes without recording an admin or client principal.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Cellular came up |
+| source_field | `event.action` |
+| source_value | Cellular came up |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | Q234-ABCD-5678 |
+| name | My appliance |
+| type | general |
+| sub_type | managed_device |
+| ip | 192.168.1.2 |
+
+**Field sources:**
+- `id` ← `observer.serial_number`
+- `name` ← `observer.name`
+- `ip` ← `cisco_meraki.event.alertData.local` (cellular local endpoint on the alerted MX)
+- Cellular peer `1.2.3.5` is in `cisco_meraki.event.alertData.remote` (vendor-only)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: (none)"] --> E["Cellular came up"]
+  E --> T["Target: My appliance"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `cisco_meraki`, `data_stream/log` + `data_stream/events` with Tier A fixtures and ingest pipelines). Router: **`data_stream.dataset`** (`cisco_meraki.log`, `cisco_meraki.events` per `manifest.yml`) with secondary **`event.action`** / **`cisco_meraki.event_subtype`** / **`cisco_meraki.event_type`** within `log`. Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first; actor/target/action **`EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) with dataset guards — not `CASE(actor_exists, <col>, …)` — so `host.ip` ← `source.ip` still applies when `user.name` is set but `host.ip` is empty. No ECS `*.target.*` at ingest today — fallbacks promote **`destination.*`**, **`network.forwarded_ip`**, vendor `cisco_meraki.*`, and **`observer.*`** (webhooks) into `host.target.*`, `service.target.*`, and `entity.target.*`. **`observer.*`** on syslog is the reporting appliance (log source), not the traffic actor. Wi-Fi auth targets use **`service.target.name`** ← vendor `vap` (Pass 3), not self-referential `user.*`.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `cisco_meraki.log` | Flows / IP flows / URLs / IDS / AirMarshal | host | host (session peer), general (url/file) | partial |
+| `cisco_meraki.log` | Wi-Fi / VPN / 802.1X / DHCP | user, host | service (wifi_vap), host (tunnel/peer) | partial |
+| `cisco_meraki.events` | Dashboard webhooks | — | general (managed_device) | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.name` | `user.name` | `data_stream.dataset == "cisco_meraki.log"` | high | **preserve existing** — 802.1X/VPN at ingest |
+| `user.name` | `cisco_meraki.anyconnect_vpn_session_manager.user_name` | `data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_subtype == "anyconnect_vpn_session_manager"` | high | **vendor fallback** — session-manager only |
+| `user.email` | `user.email` | `data_stream.dataset == "cisco_meraki.log"` | high | **ingest-only — no ES|QL** (`events.yml:481-490`; no query-time vendor path) |
+| `user.domain` | `user.domain` | `data_stream.dataset == "cisco_meraki.log"` | high | **ingest-only — no ES|QL** (dissect from `user.email` at ingest; no alternate source) |
+| `host.ip` | `host.ip` | `data_stream.dataset == "cisco_meraki.log"` | high | **preserve existing** |
+| `host.ip` | `source.ip` | `data_stream.dataset == "cisco_meraki.log" AND source.ip IS NOT NULL AND user.name IS NULL` | high | **vendor fallback** — flow/IDS/URL originator |
+| `host.ip` | `client.ip` | `data_stream.dataset == "cisco_meraki.log" AND client.ip IS NOT NULL AND client.ip != "0.0.0.0" AND user.name IS NULL` | high | **vendor fallback** — wireless/DHCP endpoint |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.ip` | `host.target.ip` | `data_stream.dataset == "cisco_meraki.log"` | high | **preserve existing** |
+| `host.target.ip` | `network.forwarded_ip` | `data_stream.dataset == "cisco_meraki.log" AND network.forwarded_ip IS NOT NULL` | high | **vendor fallback** — VPN tunnel assignment (Pass 3) |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL` | high | **de-facto destination.*** session peer |
+| `host.target.ip` | `cisco_meraki.anyconnect_vpn_session_manager.peer_ip` | `data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.anyconnect_vpn_session_manager.peer_ip IS NOT NULL` | high | **vendor fallback** — VPN peer when no `destination.ip` |
+| `host.target.ip` | `cisco_meraki.event.alertData.local` | `data_stream.dataset == "cisco_meraki.events"` | high | **vendor fallback** — cellular local endpoint |
+| `service.target.name` | `service.target.name` | `data_stream.dataset == "cisco_meraki.log"` | high | **preserve existing** |
+| `service.target.name` | `network.protocol` | `data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error", "ids-signature-matched")` | medium | **vendor fallback** — L4 protocol context |
+| `service.target.name` | `cisco_meraki.8021x_eap_success.vap` | `data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-8021x-auth"` | high | **vendor fallback** — Wi-Fi VAP (Pass 3) |
+| `service.target.name` | `cisco_meraki.wpa_auth.vap` | `data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-wpa-authentication"` | high | **vendor fallback** |
+| `service.target.name` | `cisco_meraki.splash_auth.vap` | `data_stream.dataset == "cisco_meraki.log" AND event.action == "splash-authentication"` | high | **vendor fallback** |
+| `service.target.name` | `server.mac` | `data_stream.dataset == "cisco_meraki.log" AND event.action IN ("dhcp-offer", "dhcp-no-offer") AND server.mac IS NOT NULL` | high | **vendor fallback** — DHCP server identity |
+| `entity.target.id` | `entity.target.id` | `data_stream.dataset IN ("cisco_meraki.log", "cisco_meraki.events")` | high | **preserve existing** |
+| `entity.target.id` | `destination.mac` | `data_stream.dataset == "cisco_meraki.log" AND event.action IN ("rogue-ssid-detected", "ssid-spoofing-detected") AND destination.mac IS NOT NULL` | high | **de-facto destination.*** — AirMarshal wireless peer |
+| `entity.target.id` | `observer.serial_number` | `data_stream.dataset == "cisco_meraki.events"` | high | **vendor fallback** — alerted appliance |
+| `entity.target.name` | `entity.target.name` | `data_stream.dataset IN ("cisco_meraki.log", "cisco_meraki.events")` | high | **preserve existing** |
+| `entity.target.name` | `url.domain` | `data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error") AND url.domain IS NOT NULL` | high | **vendor fallback** — requested URL |
+| `entity.target.name` | `file.name` | `data_stream.dataset == "cisco_meraki.log" AND event.action IN ("malicious-file-actioned", "issued-retrospective-malicious-disposition") AND file.name IS NOT NULL` | high | **vendor fallback** — scanned file |
+| `entity.target.name` | `observer.name` | `data_stream.dataset == "cisco_meraki.events"` | high | **vendor fallback** — managed device |
+| `entity.target.type` | `entity.target.type` | all datasets | high | **preserve existing** |
+| `entity.target.type` | literal `"service"` / `"host"` / `"general"` | dataset + `event.action` / `destination.ip` guards | high | **semantic literal** — classification helper |
+| `entity.target.sub_type` | `entity.target.sub_type` | all datasets | high | **preserve existing** |
+| `entity.target.sub_type` | literal `"wifi_vap"` / `"managed_device"` | Wi-Fi auth / webhook guards | high | **semantic literal** |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | all datasets | high | **preserve existing** — eventmap + webhook `alertType` |
+| `event.action` | literal `"ip-flow-start"` / `"ip-flow-end"` | `data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type IN ("ip_flow_start", "ip_flow_end")` | high | **semantic fallback** — Pass 2 gap; no ingest action today |
+
+### Detection flags (mandatory — run first)
+
+Standard actor/target/action predicates. **`observer.*` is excluded from `actor_exists`** — reporting MX/MR identity is not the traffic principal.
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers for documentation and optional downstream use. Actor/target/action **`EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so one populated `entity.target.name` does not block `host.target.ip` / `service.target.name` fallbacks (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.name IS NOT NULL, user.name, user.full_name, null)` (4 args — 3rd arg is a **condition**). Wrong: `CASE(target_exists, host.target.ip, network.forwarded_ip, destination.ip, null)` (6 args — `network.forwarded_ip` is a **condition**). Right: **5-arg** `CASE(host.target.ip IS NOT NULL, host.target.ip, data_stream.dataset == "cisco_meraki.log" AND network.forwarded_ip IS NOT NULL, network.forwarded_ip, null)` or **3-arg** `CASE(host.ip IS NOT NULL, host.ip, source.ip)`.
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_subtype == "anyconnect_vpn_session_manager" AND cisco_meraki.anyconnect_vpn_session_manager.user_name IS NOT NULL, cisco_meraki.anyconnect_vpn_session_manager.user_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_meraki.log" AND source.ip IS NOT NULL AND user.name IS NULL, source.ip,
+    data_stream.dataset == "cisco_meraki.log" AND client.ip IS NOT NULL AND client.ip != "0.0.0.0" AND user.name IS NULL, client.ip,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_start", "ip-flow-start",
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_end", "ip-flow-end",
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_meraki.log" AND network.forwarded_ip IS NOT NULL, network.forwarded_ip,
+    data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL, destination.ip,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.anyconnect_vpn_session_manager.peer_ip IS NOT NULL, cisco_meraki.anyconnect_vpn_session_manager.peer_ip,
+    data_stream.dataset == "cisco_meraki.events" AND cisco_meraki.event.alertData.local IS NOT NULL, cisco_meraki.event.alertData.local,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-8021x-auth" AND `cisco_meraki.8021x_eap_success.vap` IS NOT NULL, `cisco_meraki.8021x_eap_success.vap`,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-wpa-authentication" AND cisco_meraki.wpa_auth.vap IS NOT NULL, cisco_meraki.wpa_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "splash-authentication" AND cisco_meraki.splash_auth.vap IS NOT NULL, cisco_meraki.splash_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error", "ids-signature-matched") AND network.protocol IS NOT NULL, network.protocol,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("dhcp-offer", "dhcp-no-offer") AND server.mac IS NOT NULL, server.mac,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("rogue-ssid-detected", "ssid-spoofing-detected") AND destination.mac IS NOT NULL, destination.mac,
+    data_stream.dataset == "cisco_meraki.events" AND observer.serial_number IS NOT NULL, observer.serial_number,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error") AND url.domain IS NOT NULL, url.domain,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("malicious-file-actioned", "issued-retrospective-malicious-disposition") AND file.name IS NOT NULL, file.name,
+    data_stream.dataset == "cisco_meraki.events" AND observer.name IS NOT NULL, observer.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"), "service",
+    data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL, "host",
+    data_stream.dataset == "cisco_meraki.events", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"), "wifi_vap",
+    data_stream.dataset == "cisco_meraki.events", "managed_device",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.name IS NOT NULL OR user.email IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = host.target.ip IS NOT NULL OR service.target.name IS NOT NULL OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_subtype == "anyconnect_vpn_session_manager" AND cisco_meraki.anyconnect_vpn_session_manager.user_name IS NOT NULL, cisco_meraki.anyconnect_vpn_session_manager.user_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_meraki.log" AND source.ip IS NOT NULL AND user.name IS NULL, source.ip,
+    data_stream.dataset == "cisco_meraki.log" AND client.ip IS NOT NULL AND client.ip != "0.0.0.0" AND user.name IS NULL, client.ip,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_start", "ip-flow-start",
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.event_type == "ip_flow_end", "ip-flow-end",
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_meraki.log" AND network.forwarded_ip IS NOT NULL, network.forwarded_ip,
+    data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL, destination.ip,
+    data_stream.dataset == "cisco_meraki.log" AND cisco_meraki.anyconnect_vpn_session_manager.peer_ip IS NOT NULL, cisco_meraki.anyconnect_vpn_session_manager.peer_ip,
+    data_stream.dataset == "cisco_meraki.events" AND cisco_meraki.event.alertData.local IS NOT NULL, cisco_meraki.event.alertData.local,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-8021x-auth" AND `cisco_meraki.8021x_eap_success.vap` IS NOT NULL, `cisco_meraki.8021x_eap_success.vap`,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "wifi-wpa-authentication" AND cisco_meraki.wpa_auth.vap IS NOT NULL, cisco_meraki.wpa_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action == "splash-authentication" AND cisco_meraki.splash_auth.vap IS NOT NULL, cisco_meraki.splash_auth.vap,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error", "ids-signature-matched") AND network.protocol IS NOT NULL, network.protocol,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("dhcp-offer", "dhcp-no-offer") AND server.mac IS NOT NULL, server.mac,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("rogue-ssid-detected", "ssid-spoofing-detected") AND destination.mac IS NOT NULL, destination.mac,
+    data_stream.dataset == "cisco_meraki.events" AND observer.serial_number IS NOT NULL, observer.serial_number,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("http-access", "http-access-error") AND url.domain IS NOT NULL, url.domain,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("malicious-file-actioned", "issued-retrospective-malicious-disposition") AND file.name IS NOT NULL, file.name,
+    data_stream.dataset == "cisco_meraki.events" AND observer.name IS NOT NULL, observer.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"), "service",
+    data_stream.dataset == "cisco_meraki.log" AND destination.ip IS NOT NULL, "host",
+    data_stream.dataset == "cisco_meraki.events", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_meraki.log" AND event.action IN ("wifi-wpa-authentication", "wifi-8021x-auth", "splash-authentication"), "wifi_vap",
+    data_stream.dataset == "cisco_meraki.events", "managed_device",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.name, host.ip, host.target.ip, service.target.name, entity.target.id, entity.target.name, entity.target.type, entity.target.sub_type
+```
+
+### Streams excluded
+
+*(none — both `cisco_meraki.log` and `cisco_meraki.events` receive partial extraction; sub-routing is by `event.action` / `cisco_meraki.event_type` within `log`)*
+
+### Gaps and limitations
+
+- **`cisco_meraki.security.dhost`** — IDS victim MAC vendor-only; not promoted to `host.target.*` (no `host.target.mac` in mandatory set).
+- **`cisco_meraki.event.alertData.remote`** — webhook cellular peer vendor-only; local endpoint maps to `host.target.ip`.
+- **Wi-Fi VAP display name** — `service.target.name` uses `vap` only; `radio` not composed in ES|QL.
+- **`client_vpn_connect` → `site-to-site-vpn`** — ingest eventmap error (`default.yml:96-103`); `action_exists` preserves wrong label — fix at ingest, not Pass 4.
+- **`user.id`** — not populated in fixtures; omitted.
+- **`user.email` / `user.domain`** — populated at ingest only (`events.yml:481-498`); omitted from Pass 4 actor `EVAL` (no tautological `CASE(actor_exists, user.email, user.email)`).
+- **Webhook `events` stream** — no Dashboard admin actor; `observer.*` is alerted device target, not caller.
+- **Operational subtypes** (port status, DFS, martian VLAN summary) — `observer.*` / vendor blobs only; no distinct actor/target columns beyond raw subtype `event.action`.
+- **Pass 2 alignment** — ingest-time `host.target.*` ← `destination.*` / `cisco_meraki.security.dhost` remains preferred; Pass 4 fills gaps without overwriting populated values.
diff --git a/dev/domain/p1/cisco_secure_email_gateway.md b/dev/domain/p1/cisco_secure_email_gateway.md
new file mode 100644
index 00000000000..7752031f712
--- /dev/null
+++ b/dev/domain/p1/cisco_secure_email_gateway.md
@@ -0,0 +1,602 @@
+# cisco_secure_email_gateway
+
+## Product Domain
+
+Cisco Secure Email Gateway (formerly Cisco Email Security Appliance, or ESA) is an enterprise email security platform that sits in the mail path to inspect, filter, and enforce policy on inbound and outbound email. Its lineage traces to IronPort (acquired by Cisco in 2007) and it runs on AsyncOS, a purpose-built operating system for high-volume SMTP processing. The gateway is a core control point in the email security domain: it protects organizations against spam, phishing, business email compromise (BEC), malware, ransomware, and data loss by applying multi-layered filtering before messages reach mailboxes or leave the organization.
+
+The platform combines reputation-based filtering (SenderBase), anti-spam engines, dual anti-virus scanning (Sophos and McAfee), Outbreak Filters for zero-day threats, Advanced Malware Protection (AMP) with file reputation and sandbox analysis, content and DLP policies, and email authentication checks (SPF, DKIM, DMARC). Threat decisions are informed by Cisco Talos intelligence. Deployments span on-premises hardware appliances, virtual appliances (ESAV), cloud gateways (Cisco Secure Email Cloud Gateway), and hybrid models, with centralized management available through the web GUI, CLI, or Cisco Secure Email and Web Manager.
+
+From a security operations perspective, the gateway generates rich telemetry about every message it handles: SMTP connection identifiers, filtering verdicts, quarantine actions, attachment analysis results, bounce and delivery outcomes, and administrative activity. Security teams rely on this data for threat detection, mail-flow troubleshooting, compliance auditing, and correlating email-borne attacks with broader SIEM and endpoint telemetry. Because email remains the primary vector for credential theft and malware delivery, gateway logs are a critical signal in any email-security monitoring program.
+
+## Data Collected (brief)
+
+This integration collects Cisco Secure Email Gateway appliance logs into a single **log** data stream via Elastic Agent TCP/UDP syslog listeners or logfile input (for FTP-pushed files). Twelve log categories are parsed into ECS: **AMP** (`amp`), **Anti-Spam** (`antispam`), **Anti-Virus** (`antivirus`), **Text Mail** (`mail_logs`), **Consolidated Event** (`consolidated_event`), **Content Scanner** (`content_scanner`), **Authentication** (`authentication`), **GUI/HTTP** (`gui_logs`), **System** (`system`), **Status** (`status`), **Error** (`error_logs`), and **Bounce** (`bounces`). Events include mail-flow metadata (sender, recipient, subject, message IDs, ICID/DCID/RID), security verdicts (AMP/AV/AS/DLP/DMARC/SPF/DKIM), attachment hashes and dispositions, bounce and delivery status, admin login and config-change activity, and appliance performance metrics (CPU, RAM, queue depth).
+
+## Expected Audit Log Entities
+
+The integration exposes a single **`cisco_secure_email_gateway.log`** data stream. Twelve syslog categories route to dedicated sub-pipelines (`default.yml`). **True admin audit** categories are `authentication`, `gui_logs`, and `system` (login/logout, GUI HTTP access, CLI config commits). **Audit-adjacent mail-security** categories are `consolidated_event` (CEF), `mail_logs`, `amp`, `antivirus`, `antispam`, `content_scanner`, `bounces`, and `error_logs` — they record filtering verdicts, delivery outcomes, and attachment analysis rather than human admin actions. **`status`** is appliance performance telemetry (CPU, queue depth, recipient counters) with no caller identity and no per-event action; actor/target audit semantics do not apply.
+
+**`event.action` is absent in all fixtures and pipelines** — no ingest step sets or renames to `event.action` (grep across `packages/cisco_secure_email_gateway/`). Some categories partially substitute `event.type`, `event.category`, and `event.outcome` (authentication session start/end, GUI web access, antivirus `vulnerability` category, error_logs `error` type) but these describe event class, not the operation verb. Rich vendor action fields exist under `cisco_secure_email_gateway.log.action`, `.act`, `.message_status`, `.connection_status`, `.disposition`, and related paths — all remain vendor-only.
+
+No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated (`target_fields_audit.csv` has no row for this package). Recipients are mapped to `email.to.address`, not `destination.user.*` (`destination_identity_hits.csv` has no row). `destination.ip` / `destination.port` appear only on downstream SMTP delivery failures in `mail_logs` (`pipeline_text_mail_logs.yml`). Evidence from `sample_event.json`, pipeline test fixtures under `data_stream/log/_dev/test/pipeline/`, and ingest pipelines under `data_stream/log/elasticsearch/ingest_pipeline/`. Target-fields audit classifies this package as **`moderate_candidate_network_dest`** (`target_enhancement_packages.csv`: `pipeline_dest_network=true`, no `pipeline_dest_identity`).
+
+### Event action (semantic)
+
+What operation or activity does each category record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `logged-on` / `authenticated` | authentication | high | `cisco_secure_email_gateway.log.action` grok in `pipeline_authentication.yml`; pipeline sets `event.type: [start]` when action is `logged on` or `authenticated` — not copied to `event.action` | **`authentication`** |
+| `logged-out` / session timeout | authentication | high | `log.action: logged out` in `test-common-gui-log.log-expected.json`; auth/gui pipelines set `event.type: [end]` | **`authentication`**, **`gui_logs`** |
+| `GET` / HTTP access | administration | high | `http.request.method` + `url.path` grok in `pipeline_gui_logs.yml`; `event.category: [web]`, `event.type: [access]` | **`gui_logs`** HTTP req lines |
+| `changed` (passphrase/config object) | configuration_change | high | `Passphrase has been changed for user admin` → `log.action: changed` in gui fixture | **`gui_logs`** |
+| `commit-changes` | configuration_change | high | `User admin commit changes:…` grok in `pipeline_system.yml` → `cisco_secure_email_gateway.log.commit_changes` | **`system`** |
+| `QUARANTINED` / `DELIVERED` / `ABORTED` / `DQ` | detection | high | CEF `act=` → `cisco_secure_email_gateway.log.act` (`pipeline_consolidated_event.yml` L209–210); fixtures: `QUARANTINED`, `DELIVERED`, `ABORTED`, `DQ` | **`consolidated_event`** — gateway enforcement action on message |
+| `queued-for-delivery` / `delivery-start` / `message-done` | data_access | medium | `cisco_secure_email_gateway.log.message_status` grok (`queued`, `Delivery start`, `Message done`, `finished`) in `pipeline_text_mail_logs.yml` | **`mail_logs`** mail-flow lifecycle |
+| `New` / `Start` / `close` (SMTP ICID/DCID) | data_access | medium | `cisco_secure_email_gateway.log.connection_status` grok (`New`, `Start`, `close`) in text-mail fixtures | **`mail_logs`** — connection events, not message verdict |
+| `restart` (service) | configuration_change | medium | `cisco_secure_email_gateway.log.vendor_action: restart` when URL rep config changes (`test-common-text-mail.log-expected.json`) | **`mail_logs`**, **`content_scanner`** |
+| `file-reputation-query` / `retrospective-verdict` | detection | medium | AMP grok lead patterns in `pipeline_amp.yml`; disposition `MALICIOUS`, verdict `MALICIOUS` in amp fixtures | **`amp`** — file/attachment analysis stages |
+| `Virus` / `Error` / `CLEAN` (AV scan result) | detection | high | `cisco_secure_email_gateway.log.type` + `.antivirus_result` grok in `pipeline_antivirus.yml`; fixtures: `Virus 'CXmail/Phish-O'`, `Error 'Encrypted'`, `Result 'CLEAN'` | **`antivirus`** |
+| `HardBounce` / bounce generation | data_access | medium | `cisco_secure_email_gateway.log.bounce_type` grok in `pipeline_bounce.yml` | **`bounces`** |
+| `giving-up-on-message` / delivery failure | data_access | medium | Error/delivery-failure grok patterns; `event.type: [error]` on **`error_logs`** only | **`error_logs`**, **`mail_logs`** SMTP failure lines |
+| (none — aggregate counters) | — | — | Status grok captures CPU/RAM/queue/recipient counters only | **`status`** — no per-event action |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `cisco_secure_email_gateway.log.action` | no | n/a | `logged-out`, `logged-on`, `changed` (normalize spaces/hyphens) | **yes** | Grok in `pipeline_authentication.yml`, `pipeline_gui_logs.yml`; values `logged out`, `changed`, `The HTTPS session has been established successfully.` in gui fixture — pipeline maps to `event.type`/`event.category` only |
+| `http.request.method` + `url.path` | no | n/a | `GET` (or composite `GET /login`) | **yes** | `pipeline_gui_logs.yml` L11, L26–35; fixture `GET xxx.png`, `GET /login` context via `log.destination` |
+| `cisco_secure_email_gateway.log.act` | no | n/a | `QUARANTINED`, `DELIVERED`, `ABORTED`, `DQ` | **yes** | CEF `act=` rename (`pipeline_consolidated_event.yml` L209–210); consolidated-event expected JSON |
+| `cisco_secure_email_gateway.log.message_status` | no | n/a | `queued-for-delivery`, `delivery-start`, `message-done`, `finished` | **yes** | Grok in `pipeline_text_mail_logs.yml`; fixtures `queued`, `Delivery start`, `Message done` |
+| `cisco_secure_email_gateway.log.connection_status` | no | n/a | `new-smtp-icid`, `start`, `close` | **yes** | ICID/DCID grok; fixtures `New`, `Start`, `close` |
+| `cisco_secure_email_gateway.log.vendor_action` | no | n/a | `restart`, `Starting` | **yes** | mail_logs/content_scanner grok; fixture `Triggering restart of URL Reputation client service` |
+| `cisco_secure_email_gateway.log.commit_changes` | no | n/a | `commit-changes` | **yes** | System grok `commit changes:%{GREEDYDATA:…}`; fixture `Added a second CLI log for examples` |
+| `cisco_secure_email_gateway.log.disposition` / `.verdict` | no | n/a | `MALICIOUS`, `LOWRISK` (lowercase) | **yes** | AMP pipeline KV/grok; amp fixtures `Disposition = MALICIOUS`, `Verdict: MALICIOUS` |
+| `cisco_secure_email_gateway.log.type` + `.antivirus_result` | no | n/a | `virus-detected`, `scan-clean`, `scan-error` (derive from type + result) | **yes** | Antivirus grok; fixtures `Virus 'CXmail/Phish-O'`, `Result 'CLEAN'`, `Error 'Encrypted'` |
+| `cisco_secure_email_gateway.log.bounce_type` | no | n/a | `hard-bounce`, `soft-bounce` (from bounce_type value) | **yes** | Bounce grok `^%{WORD:bounce_type}:` |
+| `cisco_secure_email_gateway.log.event_class_id` | no | n/a | `ESA_CONSOLIDATED_LOG_EVENT` | partial | CEF header parse; event-type label, not per-message enforcement verb — prefer `log.act` |
+| `event.type` | yes (partial substitute) | partial | `[start]`, `[end]`, `[access]`, `change`, `[error]` | no | Auth/gui/mail_logs/error pipelines set `event.type` instead of `event.action` — different ECS semantics |
+| `event.category` | yes (partial substitute) | partial | `authentication`, `web`, `session`, `vulnerability` | no | Auth/gui/antivirus pipelines; category ≠ action verb |
+| `event.outcome` | yes (partial substitute) | yes | `success`, `failure` | no | Auth pipeline L28–37 from `log.outcome`; outcome complements action, does not replace it |
+
+**Per-category action check (Step 2b):**
+
+| Stream (category) | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `authentication` | no | no | `cisco_secure_email_gateway.log.action` | high | `pipeline_authentication.yml`; `event.type` start/end only |
+| `gui_logs` | no | no | `log.action` or `http.request.method` | high | `pipeline_gui_logs.yml`; gui expected JSON |
+| `system` | no | no | derived from `commit_changes` text | medium | `pipeline_system.yml` |
+| `consolidated_event` | no | no | `cisco_secure_email_gateway.log.act` | high | `pipeline_consolidated_event.yml` L209–210 |
+| `mail_logs` | no | no | `message_status` / `connection_status` / `vendor_action` | medium | `pipeline_text_mail_logs.yml` |
+| `amp` | no | no | grok lead verb or `disposition`/`verdict` | medium | `pipeline_amp.yml` |
+| `antivirus` | no | no | `log.type` + `antivirus_result` | high | `pipeline_antivirus.yml` |
+| `antispam` | no | no | case-daemon `result` text | low | `pipeline_anti_spam.yml` |
+| `content_scanner` | no | no | `vendor_action` | medium | `pipeline_content_scanner.yml` |
+| `bounces` | no | no | `bounce_type` | high | `pipeline_bounce.yml` |
+| `error_logs` | no | no | delivery-failure message pattern | low | `pipeline_error_logs.yml`; `event.type: [error]` only |
+| `status` | no | no | (none — metrics) | n/a | `pipeline_status.yml` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| ESA admin user | user | — | high | `user.name` from `authentication`, `gui_logs`, `system` grok patterns; `related.user` append. Fixtures: `test-common-gui-log.log-expected.json` (admin login/logout, passphrase change), `test-common-system.log-expected.json` (CLI commit). | Admin categories only |
+| Admin client workstation | host | — | high | `client.ip` ← GUI `req:<IP> user:…` (`pipeline_gui_logs.yml`); `host.ip` ← `SourceIP:`, auth attempt `from <IP>`, session source (`pipeline_authentication.yml`, `pipeline_gui_logs.yml`). Distinct from SMTP peers. Fixtures: `test-common-gui-log.log-expected.json`. | `authentication`, `gui_logs` |
+| Mail sender | user | — | high | `email.from.address` ← CEF `suser` (`pipeline_consolidated_event.yml`); mail_logs `From: <…>` grok (`pipeline_text_mail_logs.yml`); bounce `From:<…>` (`pipeline_bounce.yml`). Fixtures: `test-common-consolidated-event.log-expected.json`, `test-common-text-mail.log-expected.json`. | Mail categories; CEF `suser` may be a domain, not a mailbox |
+| SMTP connecting host | host | — | high | `source.ip` / `source.domain` ← CEF `sourceAddress`/`src`, `sourceHostName`/`shost` (`pipeline_consolidated_event.yml`). Fixtures: consolidated-event expected JSON (`source.ip: 1.128.3.4`, `source.domain: unknown`). | **`consolidated_event`** primarily |
+| SMTP peer (text mail, vendor-only IP) | host | — | medium | ICID/DCID connection logs store peer IP in `cisco_secure_email_gateway.log.address` / `.interface` with `related.ip` append only — **not** promoted to `source.ip` (`pipeline_text_mail_logs.yml`). Fixture: New SMTP ICID event in `test-common-text-mail.log-expected.json`. | **`mail_logs`** — actor endpoint exists in vendor fields only |
+| ESA appliance (automated enforcement) | service | — | high | CEF `deviceExternalId` → `host.id`; `cisco_secure_email_gateway.log.appliance.*` (vendor/product/version). Appliance performs automated actions (`act=QUARANTINED`, `DELIVERED`). Fixture: `test-common-consolidated-event.log-expected.json`. | **`consolidated_event`** — gateway as enforcing service, not human actor |
+| AV engine vendor label | service | — | medium | `observer.vendor` ← AV engine name in grok (`pipeline_antivirus.yml`, e.g. `sophos`). Fixture: `test-common-antivirus.log-expected.json`. | **`antivirus`** only — scan engine identity, not admin caller |
+
+**No actor identity:** **`status`** — aggregate counters and resource utilization only. Many **`amp`**, **`antispam`**, and **`content_scanner`** events reference MID/file context without sender IP or admin user.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name` | Admin principal | yes | yes | high | Grok in `pipeline_authentication.yml`, `pipeline_gui_logs.yml`, `pipeline_system.yml`; `related.user` append; fixtures above |
+| `client.ip` | GUI HTTP client | yes | yes | high | `req:<IP> user:…` grok (`pipeline_gui_logs.yml` L11); `related.ip` append |
+| `host.ip` | Admin auth/GUI source IP | yes | partial | high | Auth/gui grok → `host.ip` (`pipeline_authentication.yml`, `pipeline_gui_logs.yml`); semantically a client endpoint, not the ESA appliance host |
+| `email.from.address` | Mail sender | yes | partial | high | CEF `suser` rename (`pipeline_consolidated_event.yml` L391–394); mail_logs/bounce grok; fixture values like `example.com` are domains, not full RFC5322 addresses |
+| `source.ip` | SMTP connecting host | yes | yes | high | CEF `sourceAddress`/`src` convert (`pipeline_consolidated_event.yml` L365–378); consolidated-event fixtures |
+| `source.domain` | SMTP HELO/rDNS hostname | yes | yes | medium | CEF `sourceHostName`/`shost` urldecode → `source.domain` (L353–363) |
+| `host.id` | ESA appliance identifier | yes | partial | high | CEF `deviceExternalId` → `host.id` (L454–456); identifies observer/appliance, not admin client or mail sender |
+| `cisco_secure_email_gateway.log.address` | SMTP peer IP (text mail) | yes (vendor) | n/a | medium | ICID/DCID grok stores connecting/delivery peer IP; only `related.ip`, not `source.ip` (`pipeline_text_mail_logs.yml` L15, L21, L109–114) |
+| `cisco_secure_email_gateway.log.esa.helo.ip` | HELO IP (CEF extension) | yes (vendor) | n/a | medium | Parsed from consolidated CEF; appended to `related.ip` only (consolidated pipeline) |
+| `cisco_secure_email_gateway.log.session` | Admin session ID | yes (vendor) | n/a | high | Retained in auth/gui logs; not mapped to ECS session fields |
+| `cisco_secure_email_gateway.log.privilege` | Admin privilege level | yes (vendor) | n/a | high | GUI login events (`test-common-gui-log.log-expected.json`) |
+| `observer.vendor` | AV engine name | yes | partial | medium | Antivirus grok captures engine vendor (`sophos`), not Cisco ESA product identity (`pipeline_antivirus.yml`) |
+| `related.user` | Actor cross-reference | yes | partial | high | Appends `user.name` and mail addresses via `default.yml` email array normalization; does not distinguish actor vs recipient |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Email security gateway enforcing policy | Cisco Secure Email Gateway (ESA) | service | — | high | CEF `appliance.vendor/product/version`; `host.id` from `deviceExternalId`; automated `act=QUARANTINED`/`DELIVERED`. Fixture: consolidated-event expected JSON. | Observer/enforcement plane for all mail categories |
+| 1 — Platform / scan engine | Inline AV engine invoked on message | Sophos / McAfee AV engine | service | — | medium | `observer.vendor` in antivirus logs; engine name in message text. Fixture: `test-common-antivirus.log-expected.json`. | Sub-service within ESA pipeline |
+| 2 — Resource / object | Mail recipient mailbox | Recipient address / domain | user | — | high | `email.to.address` ← CEF `duser`, mail_logs/bounce/error `To: <…>` grok. Fixtures: consolidated-event, text-mail, error-log expected JSON. | Primary acted-upon user identity |
+| 2 — Resource / object | Email message under inspection | Message (MID) | general | email_message | high | `email.message_id` (MID/ESAMID) across amp, mail_logs, consolidated_event, bounce, antivirus. `sample_event.json` MID=5. | Central correlation ID for all mail-security events |
+| 2 — Resource / object | Attachment or body file scanned | File attachment | general | file | high | `file.name`, `file.hash.sha256`, `email.attachments.file.*` in AMP, AV, mail_logs SHA patterns. Fixtures: `test-common-amp.log-expected.json`, `test-common-antivirus.log-expected.json`, `test-common-mail-file-upload.log-expected.json`. | Layer 2 when attachment is the inspected object |
+| 2 — Resource / object | GUI policy page or config object | Web path / config object | general | web_resource, configuration | high | `cisco_secure_email_gateway.log.destination` (`/login`, `/mail_policies/…`); `url.path` on HTTP access; `cisco_secure_email_gateway.log.object` + `commit_changes` for admin changes. Fixtures: `test-common-gui-log.log-expected.json`, `test-common-system.log-expected.json`. | Admin audit targets |
+| 2 — Resource / object | Downstream SMTP delivery host | Remote MTA | host | — | high | `destination.ip` / `destination.port` on send failures (`pipeline_text_mail_logs.yml` L27). Fixture: text-mail SMTP error to `1.128.3.4:0`. | Network peer **and** delivery target on failure events |
+| 2 — Resource / object | Internal gateway service restarted | ESA subsystem service | service | — | medium | `cisco_secure_email_gateway.log.object` for services (`URL Reputation client service`, `content_scanner`). Fixtures: text-mail, content-scanner expected JSON. | System/config events |
+| 3 — Content / artifact | Message subject, RID, verdict metadata | Subject line / per-recipient ID | general | email_subject, mail_recipient | high | `email.subject`, `cisco_secure_email_gateway.log.subject`; `cisco_secure_email_gateway.log.recipient_id` (RID) when address absent. Fixtures: text-mail, bounce patterns in `pipeline_bounce.yml`. | Supplements Layer 2 message/recipient identity |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `email.to.address` | 2 | user | yes | partial | `user.target.email` | yes | CEF `duser` → `email.to.address` (`pipeline_consolidated_event.yml` L328–331); mail_logs/bounce grok; values may be domains; no `user.target.*` or `destination.user.*` |
+| `email.from.address` | 2 | user | yes | partial | context (sender, not target) | no | Mapped as sender/actor in mail flow; listed here because CEF conflates envelope identity — not a target field |
+| `email.message_id` | 2 | general (email_message) | yes | yes | `entity.target.id` / custom | partial | MID across all mail pipelines; primary audit object ID; no official ECS target mapping |
+| `email.subject` | 3 | general (email_subject) | yes | yes | context | no | CEF `msg` gsub or mail_logs grok |
+| `file.name`, `file.hash.sha256`, `email.attachments.file.*` | 2–3 | general (file) | yes | yes | `file.*` / `entity.target.*` | partial | AMP/AV/mail_logs pipelines; attachment is acted-upon artifact |
+| `cisco_secure_email_gateway.log.destination` | 2 | general (web_resource) | yes (vendor) | n/a | `url.path` / `service.target.*` | yes | GUI admin target path; vendor-only except overlapping `url.path` on HTTP req logs |
+| `url.path` | 2 | general (web_resource) | yes | yes | context | no | HTTP GET path from GUI access grok (`pipeline_gui_logs.yml`) |
+| `cisco_secure_email_gateway.log.object`, `.commit_changes` | 2 | general (configuration) | yes (vendor) | n/a | `entity.target.name` | yes | Config object changed (`Passphrase`, CLI commit text); vendor-only |
+| `destination.ip`, `destination.port` | 2 | host | yes | partial | `host.target.ip` / network context | yes | Downstream MTA on SMTP delivery failure; network peer semantics per ECS Destination, but recipient context in same event (`email.to.address`) |
+| `cisco_secure_email_gateway.log.recipient_id` | 3 | general (mail_recipient) | yes (vendor) | n/a | `user.target.id` (custom) | yes | Per-recipient RID; supplements `email.to.address` when address missing |
+| `host.id` | 1 | service | yes | partial | `observer.serial_number` / `host.id` | no | Appliance ID; enforcement platform scope, not Layer 2 object |
+| `cisco_secure_email_gateway.log.appliance.*` | 1 | service | yes (vendor) | n/a | `observer.product` / `service.target.name` | yes | CEF vendor/product/version parsed; not mapped to `observer.product` or `cloud.service.name` |
+| `cisco_secure_email_gateway.log.act`, `.disposition`, ESA verdict fields | 3 | general (verdict) | yes (vendor) | n/a | context | no | Action/verdict metadata (`QUARANTINED`, `MALICIOUS`); enriches message target |
+| `destination.user.*` / `destination.host.*` (de-facto) | — | — | no | n/a | — | no | Not used; recipients use `email.to.address` instead |
+
+### Gaps and mapping notes
+
+- **`event.action` never populated:** No pipeline step sets `event.action` despite rich vendor action fields across all categories. Primary enhancement per category: `log.action` (admin auth/GUI), `log.act` (CEF consolidated events), `message_status`/`connection_status` (mail flow), `disposition`/`verdict` (AMP), `type`+`antivirus_result` (AV), `bounce_type` (bounces). `event.type`/`event.category`/`event.outcome` partially cover auth and GUI semantics but are not substitutes for `event.action`.
+- **No official ECS target fields:** Aligns with `target_enhancement_packages.csv` (`moderate_candidate_network_dest`, all ECS target tiers false). Primary enhancement: promote `email.to.address` → `user.target.email` (or `destination.user.email`) and `email.message_id` → `entity.target.id` for mail-security correlation.
+- **Recipients not under `destination.user.*`:** Unlike `checkpoint_email` and similar integrations, CEF `duser` maps to `email.to.address` only. Semantically the mail recipient is the Layer 2 user target, but ECS target buckets are empty.
+- **`destination.ip` is network dest, not user dest:** `pipeline_dest_network=true` in target-fields audit. On SMTP send failures, `destination.ip` is the downstream MTA while `email.to.address` holds the recipient — both are target-relevant but only the latter is a user identity field.
+- **`host.ip` vs `host.id` ambiguity:** Admin client IP lands in `host.ip`; appliance serial lands in `host.id`. Both use the `host.*` namespace for different entity types — do not treat `host.ip` as the ESA appliance.
+- **`email.from.address` / `email.to.address` partial mapping:** CEF `suser`/`duser` often contain domains or friendly-from values, not full mailbox addresses (`example.com` in consolidated-event fixture). Mapping is intentional but semantically partial for ECS `email.*` field sets.
+- **SMTP peer IP gap in `mail_logs`:** Connecting host IP for ICID events stays in `cisco_secure_email_gateway.log.address` with `related.ip` only — not `source.ip`. Actor host identity is vendor-only for text-mail connection events.
+- **`observer.vendor` captures AV engine, not ESA:** Antivirus grok sets `observer.vendor: sophos` (engine vendor), not `Cisco`. ESA product identity remains in `cisco_secure_email_gateway.log.appliance.*` without ECS `observer.product` mapping.
+- **`related.user` conflates roles:** Appends admin `user.name` and normalized mail addresses without distinguishing actor vs recipient.
+- **Passphrase-change actor/target overlap:** GUI event `"Passphrase has been changed for user admin"` maps `user.name: admin` — the same field represents both actor and affected user; no separate target ECS field.
+- **`status` metrics:** Queue/recipient counter dimensions are aggregation subjects, not per-event audit targets; no caller identity and no per-event action in schema or fixtures.
+
+### Per-stream notes
+
+**`authentication` / `gui_logs` / `system`:** Admin audit stream. Actor is **`user.name`** (admin) plus **`client.ip`** or **`host.ip`** (workstation). Targets are GUI paths (`cisco_secure_email_gateway.log.destination`, `url.path`) and config objects (`cisco_secure_email_gateway.log.object`, `commit_changes`). **Action:** vendor `log.action` (`logged on`, `logged out`, `changed`) or HTTP method for GUI access — none mapped to `event.action`; auth uses `event.type` start/end and `event.outcome` instead.
+
+**`consolidated_event`:** CEF mail-security summary. Actor is mail **sender** (`email.from.address` ← `suser`) and SMTP **connecting host** (`source.ip`). Target is **recipient** (`email.to.address` ← `duser`), **message** (`email.message_id`), and **attachments** (vendor `ESAAttachmentDetails`). ESA appliance (`host.id`, `appliance.*`) is the enforcing Layer 1 service. **Action:** CEF `act` → `log.act` (`QUARANTINED`, `DELIVERED`, `ABORTED`, `DQ`) — primary `event.action` candidate, not mapped today.
+
+**`mail_logs` / `bounces` / `error_logs`:** Text-format mail flow. Same sender/recipient/message/file target patterns; bounces add `email.from.address` + `email.to.address` + RID. `destination.ip` appears on delivery-failure lines only. **Action:** `message_status`/`connection_status` for lifecycle events; `bounce_type` for bounces; delivery-failure text for errors — all vendor-only.
+
+**`amp` / `antivirus` / `antispam` / `content_scanner`:** Filtering-engine telemetry keyed by MID and file hash. Target is the **message** and **attachment**; sender/recipient often absent. Antivirus adds **`observer.vendor`** for engine name. **Action:** AMP disposition/verdict; AV scan type + result (`Virus`, `CLEAN`, `Error`); content_scanner `vendor_action` (e.g. `restart`) — none mapped to `event.action`.
+
+**`status`:** Appliance health metrics only — actor/target audit semantics and per-event action do not apply.
+
+## Example Event Graph
+
+Examples below come from the single **`cisco_secure_email_gateway.log`** data stream, drawn from pipeline test fixtures across **`gui_logs`** (true admin audit), **`consolidated_event`** (audit-adjacent mail enforcement), and **`antivirus`** (audit-adjacent scan telemetry). `event.action` is absent in all fixtures; actions are derived from vendor fields and noted as not mapped to ECS today.
+
+### Example 1: Admin GUI HTTP asset request
+
+**Stream:** `cisco_secure_email_gateway.log` · **Fixture:** `packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json`
+
+```
+Admin user (client) → GET → GUI web resource (xxx.png)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 2v10z5fEuDsvhdbVE6Ck |
+| name | admin |
+| type | user |
+| ip | 1.128.3.4 |
+
+**Field sources:**
+- `id` ← `event.id`
+- `name` ← `user.name`
+- `ip` ← `client.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | GET |
+| source_field | `http.request.method` |
+| source_value | GET |
+
+**Not mapped to ECS `event.action` today** — pipeline sets `event.category: [web]` and `event.type: [access]` instead.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | xxx.png |
+| type | general |
+| sub_type | web_resource |
+
+**Field sources:**
+- `name` ← `url.path`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: admin (1.128.3.4)"] --> E["GET"]
+  E --> T["Target: xxx.png"]
+```
+
+### Example 2: Inbound message quarantined by policy
+
+**Stream:** `cisco_secure_email_gateway.log` · **Fixture:** `packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json` (ESAMID 238746 — distinct sender and recipient)
+
+The first consolidated-event row uses the same domain for CEF `suser` and `duser` (`example.com`), which would read as “sender quarantines to themselves.” This example uses a later event where `irobot@example.com` ≠ `alfombra@example.com`.
+
+```
+Mail sender (irobot@example.com) → QUARANTINED → inbound message for alfombra@example.com
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | irobot@example.com |
+| type | user |
+| ip | 81.2.69.192 |
+
+**Field sources:**
+- `name` ← `email.from.address` (CEF `suser`)
+- `ip` ← `source.ip` (SMTP connecting host; CEF `ESAHeloIP`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | QUARANTINED |
+| source_field | `cisco_secure_email_gateway.log.act` |
+| source_value | QUARANTINED |
+
+**Not mapped to ECS `event.action` today** — CEF `act=` is retained as vendor field only.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 238746 |
+| name | IE : Crayons |
+| type | general |
+| sub_type | email_message |
+
+**Field sources:**
+- `id` ← `email.message_id` (ESAMID)
+- `name` ← `email.subject` (message `"IE : Crayons"`)
+- `sub_type` ← inbound mail object quarantined before delivery
+
+**Scope context (not target):** intended recipient **alfombra@example.com** (`email.to.address`, CEF `duser`); mail policy **DEFAULT** (`cisco_secure_email_gateway.log.cs1`).
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: irobot@example.com"] --> E["QUARANTINED"]
+  E --> T["Target: message 238746 (alfombra@example.com)"]
+```
+
+### Example 3: Antivirus engine detects phishing attachment
+
+**Stream:** `cisco_secure_email_gateway.log` · **Fixture:** `packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-antivirus.log-expected.json`
+
+```
+AV scan engine → Virus → email attachment
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | sophos |
+| type | service |
+
+**Field sources:**
+- `name` ← `observer.vendor` (inline AV engine identity, not human admin)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Virus |
+| source_field | `cisco_secure_email_gateway.log.type` |
+| source_value | Virus |
+
+**Not mapped to ECS `event.action` today** — pipeline sets `event.category: vulnerability` only; scan result detail is in `cisco_secure_email_gateway.log.antivirus_result` (`CXmail/Phish-O`).
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 66842418 |
+| name | Payment.html |
+| type | general |
+| sub_type | file |
+
+**Field sources:**
+- `id` ← `email.message_id` (MID)
+- `name` ← `file.name`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: sophos (AV engine)"] --> E["Virus"]
+  E --> T["Target: Payment.html (MID 66842418)"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, single `data_stream/log` with Tier A fixtures). Router: **`data_stream.dataset == "cisco_secure_email_gateway.log"`**; secondary discriminator: **`cisco_secure_email_gateway.log.category.name`** (twelve syslog categories, one dataset). Pass 4 is **fill-gaps-only**: detection flags run first; mapped columns use **column-level** `CASE(col IS NOT NULL, col, condition, fallback, null)` (or **3-arg** `CASE(col IS NOT NULL, col, fallback)` in narrow pipeline fragments) — not `CASE(actor_exists, user.id, …)` / `CASE(target_exists, col, …)` when other actor/target signals can be set while `col` is empty (`actor_exists` includes `client.ip` / `user.name`; mail `user.id` fallbacks must not be blocked). Admin categories (**authentication**, **gui_logs**, **system**) map human actors; mail-security categories map sender + SMTP host actors and recipient/message targets; **`status`** is excluded (metrics). Auth login → **`service.target.name`** `"Cisco Secure Email Gateway"` (Pass 3 platform target), not self-referential admin user; GUI HTTP access → **`entity.target.name`** ← `url.path` (Pass 3 web resource). **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` identity fallbacks; admin **`user.name`** and authentication **`host.ip`** are **ingest-only — no ES|QL** (pipelines grok them at index time with no alternate query-time source).
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `cisco_secure_email_gateway.log` (authentication, gui_logs, system) | admin audit | user, host | service, general (web/config) | full |
+| `cisco_secure_email_gateway.log` (consolidated_event, mail_logs, bounces) | mail security | user, host | user, general (message/file) | partial |
+| `cisco_secure_email_gateway.log` (amp, antivirus, antispam, content_scanner) | filter telemetry | service | general (file/message) | partial |
+| `cisco_secure_email_gateway.log` (error_logs) | delivery errors | user, host | host, user | partial |
+| `cisco_secure_email_gateway.log` (status) | metrics | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.name` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs", "system")` | high | **column-level preserve** (`user.id IS NOT NULL`); fallback admin surrogate when `user.id` empty |
+| `user.name` | — | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs", "system")` | high | **ingest-only — no ES\|QL** — grok → `user.name` at ingest; no alternate query-time source |
+| `user.name` | `email.from.address` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces")` | high | **vendor fallback** — mail sender (may be domain-only) |
+| `user.email` | `email.from.address` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces", "error_logs")` | high | **vendor fallback** |
+| `host.ip` | `client.ip` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs"` | high | **preserve existing** / fallback GUI client |
+| `host.ip` | — | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication"` | high | **ingest-only — no ES\|QL** — auth grok → `host.ip` at ingest |
+| `host.ip` | `source.ip` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "error_logs")` | high | **vendor fallback** — SMTP connecting host |
+| `service.name` | `observer.vendor` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus"` | medium | **vendor fallback** — AV engine (sophos), not human admin |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `"Cisco Secure Email Gateway"` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated")` | low | **semantic literal** — admin login to appliance (Pass 3) |
+| `entity.target.name` | `url.path` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND url.path IS NOT NULL` | high | **vendor fallback** — GUI web resource (Pass 3 Example 1) |
+| `user.target.email` | `email.to.address` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL` | high | **de-facto destination** — CEF `duser`; not `destination.user.*` |
+| `entity.target.id` | `email.message_id` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL` | high | **vendor fallback** — MID/ESAMID |
+| `entity.target.name` | `email.subject` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND email.subject IS NOT NULL` | high | **vendor fallback** — message display name |
+| `entity.target.name` | `file.name` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("amp", "antivirus") AND file.name IS NOT NULL` | high | **vendor fallback** — scanned attachment (Pass 3 Example 3) |
+| `entity.target.name` | `cisco_secure_email_gateway.log.object` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "system"` | high | **vendor fallback** — config object on CLI commit |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND destination.ip IS NOT NULL` | high | **de-facto destination** — downstream MTA on delivery failure |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `http.request.method` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND http.request.method IS NOT NULL` | high | **vendor fallback** — GUI HTTP access (Pass 3 Example 1) |
+| `event.action` | `cisco_secure_email_gateway.log.action` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs") AND cisco_secure_email_gateway.log.action IS NOT NULL` | high | **vendor fallback** — admin session verbs |
+| `event.action` | `cisco_secure_email_gateway.log.act` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "consolidated_event"` | high | **vendor fallback** — CEF enforcement (`QUARANTINED`, `DELIVERED`) |
+| `event.action` | `cisco_secure_email_gateway.log.type` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus"` | high | **vendor fallback** — scan stage (`Virus`, `Result`, `Error`) |
+| `event.action` | `cisco_secure_email_gateway.log.message_status` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "mail_logs"` | medium | **vendor fallback** — mail-flow lifecycle |
+| `event.action` | `cisco_secure_email_gateway.log.bounce_type` | `data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "bounces"` | high | **vendor fallback** |
+
+`actor_exists` omits `host.id` and `source.ip` — `host.id` is appliance serial on CEF events; `source.ip` alone must not block mail-sender fallbacks to `user.name` / `user.email`.
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR client.ip IS NOT NULL OR host.ip IS NOT NULL
+    OR service.name IS NOT NULL OR observer.vendor IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers (when needed)
+
+Set in **fallback** only when `NOT target_exists`:
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"), "service",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL, "user",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND file.name IS NOT NULL, "general",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND url.path IS NOT NULL, "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"), null,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL, "email_message",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND file.name IS NOT NULL, "file",
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND url.path IS NOT NULL, "web_resource",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs", "system"), user.name,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces"), email.from.address,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces", "error_logs") AND email.from.address IS NOT NULL, email.from.address,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs", client.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "error_logs"), source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus", observer.vendor,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND http.request.method IS NOT NULL, http.request.method,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "consolidated_event" AND cisco_secure_email_gateway.log.act IS NOT NULL, cisco_secure_email_gateway.log.act,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus" AND cisco_secure_email_gateway.log.type IS NOT NULL, cisco_secure_email_gateway.log.type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "mail_logs" AND cisco_secure_email_gateway.log.message_status IS NOT NULL, cisco_secure_email_gateway.log.message_status,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "bounces" AND cisco_secure_email_gateway.log.bounce_type IS NOT NULL, cisco_secure_email_gateway.log.bounce_type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs") AND cisco_secure_email_gateway.log.action IS NOT NULL, cisco_secure_email_gateway.log.action,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"), "Cisco Secure Email Gateway",
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL, email.message_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("amp", "antivirus") AND file.name IS NOT NULL, file.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.subject IS NOT NULL, email.subject,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND url.path IS NOT NULL, url.path,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "system", cisco_secure_email_gateway.log.object,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR client.ip IS NOT NULL OR host.ip IS NOT NULL
+    OR service.name IS NOT NULL OR observer.vendor IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs", "system"), user.name,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces"), email.from.address,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "mail_logs", "bounces", "error_logs") AND email.from.address IS NOT NULL, email.from.address,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs", client.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("consolidated_event", "error_logs"), source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus", observer.vendor,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND http.request.method IS NOT NULL, http.request.method,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "consolidated_event" AND cisco_secure_email_gateway.log.act IS NOT NULL, cisco_secure_email_gateway.log.act,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "antivirus" AND cisco_secure_email_gateway.log.type IS NOT NULL, cisco_secure_email_gateway.log.type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "mail_logs" AND cisco_secure_email_gateway.log.message_status IS NOT NULL, cisco_secure_email_gateway.log.message_status,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "bounces" AND cisco_secure_email_gateway.log.bounce_type IS NOT NULL, cisco_secure_email_gateway.log.bounce_type,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("authentication", "gui_logs") AND cisco_secure_email_gateway.log.action IS NOT NULL, cisco_secure_email_gateway.log.action,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "authentication" AND cisco_secure_email_gateway.log.action IN ("logged on", "authenticated"), "Cisco Secure Email Gateway",
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.message_id IS NOT NULL, email.message_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name IN ("amp", "antivirus") AND file.name IS NOT NULL, file.name,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND email.subject IS NOT NULL, email.subject,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "gui_logs" AND url.path IS NOT NULL, url.path,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND cisco_secure_email_gateway.log.category.name == "system", cisco_secure_email_gateway.log.object,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_secure_email_gateway.log" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, cisco_secure_email_gateway.log.category.name, event.action, user.name, user.email, host.ip, user.target.email, entity.target.id, entity.target.name, service.target.name
+```
+
+### Streams excluded
+
+- **`cisco_secure_email_gateway.log` where `cisco_secure_email_gateway.log.category.name == "status"`** — appliance health/queue metrics; no caller identity, no per-event action.
+
+### Gaps and limitations
+
+- **`event.action` at ingest** — never populated today; Pass 4 supplies query-time fallback only when `action_exists` is false. Long GUI `log.action` strings (e.g. HTTPS session established) are passed through verbatim — prefer `http.request.method` branch when present.
+- **`email.from.address` / `email.to.address`** — often domain-only or multi-valued arrays (`example.com` in fixtures); partial RFC5322 semantics.
+- **`mail_logs` SMTP peer** — connecting IP in `cisco_secure_email_gateway.log.address` only; not promoted to `source.ip` / `host.ip` at ingest.
+- **`host.ip` vs `host.id`** — admin client vs appliance serial share `host.*` namespace; `host.id` excluded from `actor_exists`.
+- **Pass 4 tautology cleanup** — admin `user.name` and authentication `host.ip` omitted from actor `EVAL` (ingest-only; no `CASE(col, col, …)`); mail `user.name` ← `email.from.address`, GUI `host.ip` ← `client.ip`, CEF/error `host.ip` ← `source.ip` only.
+- **Pass 4 CASE syntax** — combined actor/target/classification blocks use column-level `CASE(col IS NOT NULL, col, …)` (not `CASE(actor_exists|target_exists, col, …)`); consolidated_event pipeline fragment uses **3-arg** `CASE(event.action IS NOT NULL, event.action, cisco_secure_email_gateway.log.act)` — not **4-arg** `CASE(action_exists, event.action, cisco_secure_email_gateway.log.act, null)` where `log.act` parses as a boolean condition.
+- **Passphrase change** — `user.name` represents both actor and affected user; no separate `user.target.*` today.
+- **`destination.user.*` not used** — recipients via `email.to.address` → `user.target.email` instead.
+- **Pass 2 enhancement alignment** — ingest-time `event.action` and `user.target.*` promotion remain preferred; Pass 4 fills gaps without overwriting populated values.
+- **`amp` / `antispam` / `content_scanner` action fallbacks** — disposition/verdict/vendor_action omitted from `event.action` CASE (low confidence); document only in Pass 2 action tables.
diff --git a/dev/domain/p1/cisco_umbrella.md b/dev/domain/p1/cisco_umbrella.md
new file mode 100644
index 00000000000..15e283ed4eb
--- /dev/null
+++ b/dev/domain/p1/cisco_umbrella.md
@@ -0,0 +1,563 @@
+# cisco_umbrella
+
+## Product Domain
+
+Cisco Umbrella (now part of Cisco Secure Access) is a cloud-delivered security platform that protects users and workloads wherever they connect—on corporate networks, roaming endpoints, or direct internet access. Its foundation is DNS-layer security: Umbrella resolves and inspects DNS queries before connections are established, blocking requests to malicious domains, command-and-control infrastructure, and disallowed content categories based on Cisco Talos threat intelligence and organizational policy. Because DNS is the first step in nearly every internet connection, this approach provides broad coverage with minimal latency and no need to backhaul traffic through on-premises appliances.
+
+Beyond DNS filtering, Umbrella extends into a full Secure Service Edge (SSE) stack. A cloud-delivered secure web gateway (SWG) proxies and inspects HTTP/HTTPS traffic for malware, data loss, and acceptable-use policy violations. Cloud firewall and intrusion prevention (IPS) capabilities enforce layer-3/4 and signature-based rules on user-generated traffic. Data loss prevention (DLP), remote browser isolation (RBI), and Advanced Malware Protection (AMP) file inspection add depth for sensitive data and file-based threats. Identity-aware policies tie enforcement to users, devices, networks, and roaming clients, supporting zero-trust network access (ZTNA) and private resource access alongside internet-bound traffic.
+
+Umbrella is deployed as a cloud service with no customer-managed proxies in the data path for most use cases. Administrators configure policies, destination lists, and identity mappings in the Umbrella dashboard; enforcement occurs at Umbrella's globally distributed data centers. Organizations export detailed activity logs to Amazon S3 (self-managed or Cisco-managed buckets) for retention, compliance, and SIEM integration. Security teams use these logs for threat hunting, incident investigation, policy tuning, and correlating DNS, web, firewall, and IPS events with broader enterprise telemetry.
+
+## Data Collected (brief)
+
+This integration collects Cisco Umbrella logs into a single **log** data stream via Elastic Agent **aws-s3** input from a self-managed or Cisco-managed Amazon S3 bucket (with optional SQS notification queue). It supports Umbrella log schema version 13. Eight log categories are parsed into ECS: **DNS** (`dnslogs`), **proxy/SWG** (`proxylogs`), **firewall** (`firewalllogs`, `cloudfirewalllogs`), **IP-layer** (`iplogs`), **IPS/intrusion** (`intrusionlogs`), **DLP** (`dlplogs`), and **audit/administration** (`auditlogs`). Events include identity and policy context, allow/block actions, DNS query and response details, HTTP/HTTPS proxy metadata, firewall session data, IPS signatures and severity, DLP matches, AMP file-inspection verdicts, and configuration-change audit records, with vendor-specific fields under `cisco.umbrella.*`.
+
+## Expected Audit Log Entities
+
+Classifications below are grounded in the single `log` data stream under `packages/cisco_umbrella/data_stream/log/` — `sample_event.json`, pipeline test `*-expected.json` fixtures, `fields/fields.yml`, and `elasticsearch/ingest_pipeline/default.yml`. Log category is determined by S3 object path: **dnslogs**, **proxylogs**, **firewalllogs**, **cloudfirewalllogs**, **iplogs**, **intrusionlogs**, **dlplogs**, and **auditlogs** (eight S3 log types, schema v13).
+
+Only **auditlogs** is a true Umbrella admin audit trail (`event.category: configuration`, `event.type: creation`/`change`/`deletion`). The other seven categories are inline enforcement telemetry (DNS, SWG, firewall, IPS, DLP) — audit-adjacent for identity and policy correlation but not configuration-change audit events.
+
+No stream populates ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`. The package is classified **strong_candidate** in `dev/target-fields-audit/out/target_enhancement_packages.csv` (actor and target vendor signals present; no official target fields mapped). `destination.user.*` / `destination.host.*` are **not** used — package absent from `destination_identity_hits.csv`; `destination.ip`/`destination.port` hold network/session peers only.
+
+Seven of eight log categories populate `event.action` in the ingest pipeline. **iplogs** has no vendor action column and no pipeline branch — connection metadata only. Traffic streams prefix vendor verdict or HTTP method (`dns-request-`, `proxy-request-`, `fw-connection-`, `ips-`, `dlp-`); **auditlogs** maps the CSV action column directly (`create`, `update`, `delete`).
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **auditlogs** | yes | yes | CSV column 6 → `event.action` | high | `create`, `update`, `delete` in `test-umbrella-auditlogs.log-expected.json`; drives `event.type` (L690–698) |
+| **dnslogs** | yes | yes | `cisco.umbrella.action` → `dns-request-{{{cisco.umbrella.action}}}` | high | `dns-request-Allowed`, `dns-request-Blocked` in `test-umbrella-dnslogs.log-expected.json`; gsub spaces→hyphens (L616–624) |
+| **proxylogs** | yes | yes | `http.request.method` → `proxy-request-{{{http.request.method}}}` | high | `proxy-request-GET`, `proxy-request-HEAD` in `test-umbrella-proxylogs.log-expected.json` (L625–628); vendor `cisco.umbrella.action` (`ALLOWED`) drives `event.type` only |
+| **firewalllogs** / **cloudfirewalllogs** | yes | yes | `cisco.umbrella.action` → `fw-connection-{{{cisco.umbrella.action}}}` | high | `fw-connection-ALLOW`, `fw-connection-BLOCK` in `test-umbrella-cloudfirewalllogs.log-expected.json` (L629–632) |
+| **intrusionlogs** | yes | yes | `cisco.umbrella.action` → `ips-{{{cisco.umbrella.action}}}` | high | `ips-Would-Block` in `test-umbrella-intrusionlogs.log-expected.json` (L633–636) |
+| **dlplogs** | yes | yes | `cisco.umbrella.action` → `dlp-{{{cisco.umbrella.action}}}` | high | `dlp-BLOCK` in `test-umbrella-dlplogs.log-expected.json` (L637–640) |
+| **iplogs** | no | no | No action column in CSV schema | high | `test-umbrella-iplogs.log-expected.json` — `event.type: connection` only; no `cisco.umbrella.action` field |
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `create` | configuration_change | high | `test-umbrella-auditlogs.log-expected.json`, `sample_event.json` | Admin creates config object (`onpremlogentry`, etc.); appends `event.type: creation` |
+| `update` | configuration_change | high | `test-umbrella-auditlogs.log-expected.json` (`logexportconfigurations` version change) | Admin modifies existing object; appends `event.type: change` |
+| `delete` | configuration_change | high | `test-umbrella-auditlogs.log-expected.json` (`roamingdevices` delete) | Admin removes object; appends `event.type: deletion` |
+| `dns-request-allowed` | data_access | high | `test-umbrella-dnslogs.log-expected.json` | DNS query permitted by policy |
+| `dns-request-blocked` | data_access | high | `test-umbrella-dnslogs.log-expected.json` | DNS query denied; also sets `event.type: denied` |
+| `proxy-request-get` / `proxy-request-head` | data_access | high | `test-umbrella-proxylogs.log-expected.json` | SWG HTTP method for the proxied request; allow/block in `event.type` via `cisco.umbrella.action` |
+| `fw-connection-allow` | data_access | high | `test-umbrella-cloudfirewalllogs.log-expected.json` | Cloud firewall session permitted |
+| `fw-connection-block` | data_access | high | `test-umbrella-cloudfirewalllogs.log-expected.json` | Cloud firewall session denied; `event.type: denied` |
+| `ips-would-block` | detection | high | `test-umbrella-intrusionlogs.log-expected.json` | IPS signature match in monitor/would-block mode; `event.kind: alert` |
+| `dlp-block` | data_access | high | `test-umbrella-dlplogs.log-expected.json` | DLP policy block on file transfer |
+| (no per-event action) | data_access | high | `test-umbrella-iplogs.log-expected.json` | IP-layer connection log — no allow/block verdict column in schema v13 CSV |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` ← audit CSV column 6 | yes | yes | `create`, `update`, `delete` | no | `default.yml` L270–278 CSV target_fields; L690–698 derives `event.type` from action |
+| `event.action` ← `cisco.umbrella.action` (dns) | yes | yes | `dns-request-Allowed`, `dns-request-Blocked` | no | `default.yml` L616–624; gsub normalizes spaces in vendor action before prefix |
+| `event.action` ← `http.request.method` (proxy) | yes | partial | `proxy-request-GET`, `proxy-request-HEAD` | partial | `default.yml` L625–628; records HTTP verb, not SWG verdict — `cisco.umbrella.action` (`ALLOWED`/`BLOCKED`) only feeds `event.type` |
+| `cisco.umbrella.action` (proxy alternate) | no | n/a | `proxy-request-ALLOWED`, `proxy-request-BLOCKED` | yes | Vendor action in proxy CSV L81; would align proxy with DNS/firewall prefix pattern |
+| `event.action` ← `cisco.umbrella.action` (firewall) | yes | yes | `fw-connection-ALLOW`, `fw-connection-BLOCK` | no | `default.yml` L629–632; shared branch for `firewalllogs` and `cloudfirewalllogs` |
+| `event.action` ← `cisco.umbrella.action` (ips) | yes | yes | `ips-Would-Block` | no | `default.yml` L633–636 |
+| `event.action` ← `cisco.umbrella.action` (dlp) | yes | yes | `dlp-BLOCK` | no | `default.yml` L637–640 |
+| (none — iplogs) | no | n/a | — | no | IP logs CSV (L54–64) has no action column; no meaningful per-event action to map |
+| `cisco.umbrella.file_action` / `isolate_action` | no | n/a | vendor-only in proxy CSV | partial | Proxy extended fields L107–108; secondary AMP/RBI actions not promoted to `event.action` |
+| `event.type` ← `cisco.umbrella.action` | no (not `event.action`) | yes | `allowed`, `denied` | partial | L649–653; normalized outcome — distinct from prefixed `event.action` on traffic streams |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Umbrella dashboard/API administrator | user | — | high | Audit CSV → `user.email`/`user.name`/`user.id`; `related.user` | **auditlogs** only; `sample_event.json` (`admin@company.com`, `Administrator`); `source.ip` is admin workstation, not actor identity |
+| On-prem connector / system actor | service | — | medium | `onpremlogentry` create with `user.email`/`user.name` = `null`, no `user` block | **auditlogs**; `onpremUser: SYSTEM` only inside unparsed `cisco.umbrella.audit.after` blob |
+| AD-authenticated end user | user | — | high | Identity script maps `AD Users` → `user.*`; grok extracts email from identity string | **dnslogs**; fixtures: `elasticuser`, `ElasticUser@elastic.co`, `Do_redacted.Mc_redacted@example.com` |
+| Roaming / AnyConnect / mobile endpoint | host | — | high | `Roaming Computers`, `Anyconnect Roaming Client`, `Mobile Devices` → `host.name` (lowercased) | **dnslogs**; fixtures: `elastic machine`, `5cd133btpt`, `c4dde8eb61890000` |
+| Site / internal network identity | general | network-segment | medium | `Sites`, `Internal Networks`, `Networks` → `network.name` only | **dnslogs**, **proxylogs**, **firewalllogs**/**cloudfirewalllogs**; no `user.*`/`host.name` when identity is segment-only |
+| Requesting endpoint IP | host | — | high | `source.ip`, `source.nat.ip` (Umbrella resolver egress) | All traffic streams; primary actor when identity ECS mapping absent |
+| Umbrella policy identity (unmapped) | general | policy-identity | medium | `cisco.umbrella.identity` / `identities` / `policy_identity_type` retained vendor-only | **proxylogs**, **iplogs**; singular `Roaming Computer` in proxy fixtures does **not** trigger plural `Roaming Computers` host script — no `host.name` despite identity present |
+| Tunnel / CDFW device context | general | network-segment | medium | `CDFW Tunnel Device`, `Network Tunnels` → `network.name` | **firewalllogs**/**cloudfirewalllogs**, **intrusionlogs**; `Passive Monitor`, `HQ`, `Firewall Tunnel 1` |
+| DLP engine process | service | — | low | `event.provider` = `Real Time`; no human principal in fixtures | **dlplogs** only |
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.email` / `user.name` / `user.id` | Admin or AD user actor | yes | yes | high | **auditlogs**: CSV direct map (`default.yml` audit branch); **dnslogs**: identity script + grok on `AD Users` |
+| `user.full_name` | AD user display name | yes | yes | high | **dnslogs**: grok from identity string when `@` present |
+| `host.name` / `host.hostname` / `host.domain` | Endpoint actor | yes | yes | high | **dnslogs**: identity script for device types; grok splits FQDN hostname/domain |
+| `network.name` | Site/network/tunnel actor context | yes | partial | medium | Identity script for segment types; array field — actor context not principal when user/host also present |
+| `source.ip` / `source.nat.ip` | Flow origin / client IP (context) | yes | partial | high | All traffic streams; session endpoint, not human actor when `user.*` populated |
+| `source.port` / `source.bytes` / `source.packets` | Flow origin metadata | yes | n/a | high | **firewalllogs**/**cloudfirewalllogs**, **iplogs**, **intrusionlogs** |
+| `related.user` / `related.hosts` / `related.ip` | Actor enrichment | yes | yes | high | Appended from `user.name`, `host.name`, flow IPs across streams |
+| `organization.id` | Umbrella org tenancy (scope) | yes | n/a | high | **dnslogs**, **firewalllogs**/**cloudfirewalllogs**, **intrusionlogs**, **dlplogs** — scope, not actor |
+| `observer.vendor` / `observer.product` / `observer.type` | Inspecting service (context) | yes | n/a | high | Static `Cisco`/`Umbrella`; per-path `dns`/`proxy`/`firewall`/`idps`/`dlp` — observer, not event actor |
+| `cisco.umbrella.identity` | Canonical Umbrella identity string | yes (vendor) | n/a | high | All traffic streams; often duplicate of mapped `user.*`/`host.name` or unmapped in **proxylogs**/**iplogs** |
+| `cisco.umbrella.identities` / `identity_types` | Identity array + type labels | yes (vendor) | n/a | high | Drive identity script; source of truth when ECS user/host not populated |
+| `cisco.umbrella.policy_identity_type` | Matched policy identity label | yes (vendor) | n/a | medium | **dnslogs**, **proxylogs**; policy context |
+| `file.owner` | File owner / uploader | yes | n/a | low | **dlplogs** CSV column mapped to ECS but empty in fixtures — potential user actor unproven |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Cisco Umbrella / Secure Access cloud | Umbrella DNS resolver, SWG, cloud firewall, IPS, DLP | service | — | high | `observer.product: Umbrella`; `cisco.umbrella.datacenter` (`ams1.edc`, `DEN1`); no `cloud.service.name` set | Scope/enforcement plane across all streams |
+| 1 — Platform / cloud service | Cloud/SaaS application under policy | Dropbox, web apps | service | — | high | `network.application` (`dropbox` in **dlplogs**); `cisco.umbrella.application_category_name` | **dlplogs**, **firewalllogs**/**cloudfirewalllogs** (when `network.application` populated) |
+| 1 — Platform / cloud service | FTD enforcement component | Firepower Threat Defense | service | — | medium | `cisco.umbrella.enforced_by: FTD`; `ftd_enforcement_id`/`ftd_enforcement_name` | **intrusionlogs** v2 extended fields |
+| 2 — Resource / object | Configuration object changed by admin | Log export config, roaming device, on-prem log entry | general | configuration_object | high | `cisco.umbrella.audit.type` (`logexportconfigurations`, `roamingdevices`, `onpremlogentry`); before/after KV pairs | **auditlogs** only |
+| 2 — Resource / object | DNS query destination | Queried domain name | general | dns_name | high | `dns.question.name`, `dns.question.registered_domain`; `related.hosts` | **dnslogs** |
+| 2 — Resource / object | Web/URL destination | Requested URL / domain | general | url | high | `url.domain`, `url.path`, `url.original`, `url.scheme` | **proxylogs** |
+| 2 — Resource / object | Remote network peer / session endpoint | Destination host IP:port | host | — | high | `destination.ip`, `destination.port`, `destination.bytes`/`destination.packets` | **proxylogs**, **firewalllogs**/**cloudfirewalllogs**, **iplogs**, **intrusionlogs**, **dlplogs** (extended) |
+| 2 — Resource / object | Firewall / DNS / DLP / IPS policy rule | Matched rule | general | policy_rule | high | `rule.id` (**dnslogs**, **firewalllogs**/**cloudfirewalllogs**, **intrusionlogs**); `rule.name` (**dlplogs**) | Enforcement rule that acted on the request |
+| 2 — Resource / object | Sensitive file | Uploaded/inspected file | general | file | high | `file.name`, `file.hash.sha256`, `file.mime_type`, `file.size` | **proxylogs** (AMP), **dlplogs** |
+| 2 — Resource / object | Private ZTNA resource | Private application resource | general | private_resource | medium | `cisco.umbrella.private_resource_name`, `private_resource_group_name`, `private_app_id` | **dlplogs** extended fixture; **firewalllogs** when `private_flow: TRUE` |
+| 2 — Resource / object | Destination list / FQDN list | Umbrella destination list | general | destination_list | low | `cisco.umbrella.destination_lists_id`, `cisco.umbrella.fqdns` | **proxylogs**, **firewalllogs**/**cloudfirewalllogs**; sparse fixture coverage |
+| 3 — Content / artifact | IPS signature / CVE | Snort/Suricata-style alert | general | ips_signature | high | `cisco.umbrella.message`, `sid`, `gid`, `cves`, `classification`, `signature_list_id` | **intrusionlogs** |
+| 3 — Content / artifact | Malware / AMP verdict | File inspection result | general | malware_verdict | medium | `cisco.umbrella.amp_disposition`, `amp_malware_name`, `av_detections`, `sha_sha256` | **proxylogs** |
+| 3 — Content / artifact | DLP classifier match | Data identifier / classification | general | dlp_match | high | `cisco.umbrella.data_identifier`, `data_classification`, `file_label` | **dlplogs** |
+| 3 — Content / artifact | Config before/after state | Object state delta | general | config_delta | high | `cisco.umbrella.audit.before_values`/`after_values` | **auditlogs**; KV-parsed where possible; `global_settings` type skips KV |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `observer.product` | 1 | service | yes | partial | context | no | Static `Umbrella` — enforcement platform, not remote SaaS target |
+| `cisco.umbrella.datacenter` | 1 | service | yes (vendor) | n/a | context | no | Processing POP (`ams1.edc`, `DEN1`) |
+| `network.application` | 1 | service | yes | yes | `service.target.name` | yes | **dlplogs**: `Dropbox` → `dropbox`; **firewalllogs** when present |
+| `cisco.umbrella.enforced_by` / `ftd_enforcement_*` | 1 | service | yes (vendor) | n/a | `service.target.name` | yes | **intrusionlogs** v2; FTD as enforcing component |
+| `cisco.umbrella.audit.type` | 2 | general (config object) | yes (vendor) | n/a | `entity.target.type` | yes | Canonical admin target class; no ECS equivalent |
+| `cisco.umbrella.audit.before_values` / `after_values` | 2–3 | general (config object) | yes (vendor) | partial | `entity.target.*` | yes | KV-parsed object state; `roamingdevices` deviceKey/label; `onpremlogentry` host uninstall blob poorly parsed |
+| `dns.question.name` / `dns.question.registered_domain` | 2 | general (dns_name) | yes | yes | context | no | **dnslogs**: queried name in `related.hosts` |
+| `url.domain` / `url.original` / `url.path` | 2 | general (url) | yes | yes | context | no | **proxylogs**: `uri_parts` from `url.original` |
+| `destination.ip` / `destination.port` / `destination.domain` | 2 | host | yes | yes (network context) | context | no | Remote peer across traffic streams — network session target, not audit `*.target.*` |
+| `rule.id` | 2 | general (policy_rule) | yes | yes | `entity.target.name` | yes | **dnslogs**, **firewalllogs**/**cloudfirewalllogs**, **intrusionlogs**, **proxylogs** (`ruleset_id` vendor-only) |
+| `rule.name` | 2 | general (policy_rule) | yes | yes | `entity.target.name` | yes | **dlplogs**: `rule-1` |
+| `file.name` / `file.hash.sha256` / `file.size` / `file.mime_type` | 2–3 | general (file) | yes | yes | `entity.target.name` | yes | **proxylogs**, **dlplogs** |
+| `cisco.umbrella.blocked_categories` / `categories` | 3 | general (content_category) | yes (vendor) | n/a | context | no | Umbrella content/security category labels |
+| `cisco.umbrella.message` / `sid` / `gid` / `cves` / `classification` | 3 | general (ips_signature) | yes (vendor) | n/a | context | no | **intrusionlogs** signature metadata |
+| `cisco.umbrella.amp_disposition` / `sha_sha256` / `av_detections` | 3 | general (malware_verdict) | yes (vendor) | n/a | context | no | **proxylogs** file inspection |
+| `cisco.umbrella.data_identifier` / `data_classification` / `file_label` | 3 | general (dlp_match) | yes (vendor) | n/a | `entity.target.name` | yes | **dlplogs** classifier match |
+| `cisco.umbrella.private_resource_name` / `private_app_id` | 2 | general (private_resource) | yes (vendor) | n/a | `entity.target.name` | yes | **dlplogs**, **firewalllogs** ZTNA context |
+| `cisco.umbrella.fqdns` / `destination_lists_id` | 2 | general (destination_list) | yes (vendor) | n/a | `entity.target.name` | yes | Parsed to arrays; limited fixture proof |
+| `cisco.umbrella.policy_resource_id` | 2 | general (policy_rule) | yes (vendor) | n/a | `entity.target.name` | yes | **intrusionlogs** IPS policy resource ID |
+
+### Gaps and mapping notes
+
+- **No official ECS target fields** — zero `*.target.*` mappings; aligns with target-fields-audit **strong_candidate** classification.
+- **`destination.*` is network context only** — unlike email/auth integrations, Umbrella uses `destination.ip`/`destination.port` for remote peers and resolved servers; no `destination.user.*`/`destination.host.*` usage (package absent from `destination_identity_hits.csv`).
+- **Proxy `event.action` uses HTTP method, not verdict** — `proxy-request-GET` records the request verb while allow/block lives in `event.type` via `cisco.umbrella.action`; consider `proxy-request-{action}` prefix pattern for consistency with DNS/firewall streams.
+- **iplogs has no action** — IP-layer CSV schema lacks an action/verdict column; `event.type: connection` only — no enhancement candidate unless Umbrella adds action to schema.
+- **Proxy identity mapping gap** — singular `Roaming Computer` in vendor `identity_types` does not match pipeline's plural `Roaming Computers` check; `cisco.umbrella.identity` retains actor name but ECS `host.name`/`user.*` stay empty in **proxylogs** fixtures.
+- **`cisco.umbrella.identity` not promoted for iplogs/DLP** — **iplogs** retains identity string vendor-only; **dlplogs** has `file.owner` CSV column mapped to ECS but empty in fixtures.
+- **Audit target detail vendor-only** — `cisco.umbrella.audit.type` plus before/after blobs are the canonical admin targets; KV parsing fails for nested multiline values (`onpremlogentry`, `roamingdevices` delete) — highest-value enhancement source for `entity.target.*`.
+- **`source.ip` vs actor** — always present on traffic streams; correct as flow origin but must not override `user.*`/`host.name` when identity script populated (**dnslogs**).
+- **`organization.id` is tenancy scope** — not an actor; present on several log types for org context.
+- **No `cloud.service.name`** — Umbrella platform identified via `observer.product` only; SaaS targets live in `network.application` or `url.*` without ECS service-target mapping.
+- **`rule.id` vs `rule.name` split** — numeric rule IDs on DNS/firewall/IPS; named DLP rules on **dlplogs**; no unified ECS target rule field semantics.
+- **Secondary proxy actions unmapped** — `cisco.umbrella.file_action`, `isolate_action`, `amp_disposition` describe AMP/RBI outcomes but are not copied to `event.action`.
+
+### Per-stream notes
+
+#### auditlogs
+
+True admin audit stream. Pipeline CSV-maps admin email/name, object type, action, client IP, before/after state; KV-parses before/after into `cisco.umbrella.audit.before_values`/`after_values` (skipped for `global_settings`). Fixtures: `logexportconfigurations` update (`version: 4` → `5`); `onpremlogentry` create (null admin, SYSTEM in after blob); `roamingdevices` delete (device config in `before_values`). `event.action` is the raw CSV verb (`create`/`update`/`delete`); `event.type` derived from action lowercase match.
+
+#### dnslogs
+
+Identity-aware DNS enforcement (`observer.type: dns`). Richest actor mapping — identity script populates `user.*`, `host.name`, or `network.name` from paired `identities`/`identity_types`. `event.action`: `dns-request-{Allowed|Blocked}` from `cisco.umbrella.action`. `dns.question.name` is primary target; blocked queries add `rule.id` and `cisco.umbrella.blocked_categories`. `source.ip`/`source.nat.ip` always present.
+
+#### proxylogs
+
+SWG/HTTP proxy access (`observer.type: proxy`). Session-centric; `source.ip`/`source.nat.ip` primary actor when identity ECS mapping fails. `event.action`: `proxy-request-{GET|HEAD|…}` from `http.request.method`; allow/block in `event.type` via `cisco.umbrella.action` (`ALLOWED`/`BLOCKED`). `url.*` from `uri_parts`; AMP/file fields (`file.name`, `cisco.umbrella.amp_disposition`, `sha_sha256`) as secondary targets. Identity singular/plural mismatch prevents `host.name` population despite `cisco.umbrella.identity: Elastic Machine`.
+
+#### firewalllogs / cloudfirewalllogs
+
+Layer-3/4 cloud firewall sessions (`observer.type: firewall`). Shared CSV ingest branch; **cloudfirewalllogs** fixtures in `test-umbrella-cloudfirewalllogs.log-expected.json`, **firewalllogs** deploy sample in `_dev/deploy/tf/files/test-umbrella-firewalllogs.log`. `event.action`: `fw-connection-{ALLOW|BLOCK}`. Actor via `source.*` and tunnel `network.name`; target via `destination.ip`/`destination.port` and `rule.id`. Extended v2 fields: `private_app_id`, `private_flow`, `posture_id`, `traffic_source`, `content_category_ids`.
+
+#### iplogs
+
+Simplified IP-layer connections (`observer.type: firewall`). Minimal schema — `cisco.umbrella.identity` vendor-only (`elasticuser`); actor/target are flow endpoints `source.ip`/`destination.ip` with `cisco.umbrella.categories` for classification. No `event.action` — CSV has no action column; `event.type: connection` only.
+
+#### intrusionlogs
+
+IPS/IDPS alerts (`observer.type: idps`, `event.kind: alert`). `event.action`: `ips-{Would-Block|…}` from `cisco.umbrella.action`. Flow endpoints plus signature metadata. v2 extended fields: `policy_resource_id`, `enforced_by`, `ftd_enforcement_id`/`ftd_enforcement_name`, `operation_mode`, `ips_config_id`, `egress`, `casi_category_ids`. `event.severity` mapped from vendor LOW/MEDIUM/HIGH/CRITICAL.
+
+#### dlplogs
+
+Data-loss-prevention blocks (`observer.type: dlp`, `event.category` includes `file`). `event.action`: `dlp-{BLOCK|…}` from `cisco.umbrella.action`. Weak human actor — `network.name` only; `file.owner` unpopulated in fixtures. Targets: file (`file.*`, `cisco.umbrella.file_label`), exfil channel (`network.application`, `url.*`), DLP rule (`rule.name`, `cisco.umbrella.data_identifier`). Extended fixture adds `private_resource_name`, `destination.ip`/`destination.port` for ZTNA/private-app DLP.
+
+## Example Event Graph
+
+Examples below come from the single `log` data stream (`cisco_umbrella.log`), parsed from S3 object paths **auditlogs**, **dnslogs**, and **intrusionlogs**. Only **auditlogs** is a true admin audit trail; DNS and IPS events are inline enforcement telemetry (audit-adjacent).
+
+### Example 1: Admin updates log export configuration
+
+**Stream:** `cisco_umbrella.log` · **Fixture:** `packages/cisco_umbrella/data_stream/log/sample_event.json`
+
+```
+Administrator (admin@company.com) → update → logexportconfigurations
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | admin@company.com |
+| name | Administrator |
+| type | user |
+| ip | 81.2.69.144 |
+| geo | London, United Kingdom |
+
+**Field sources:**
+- `id` ← `user.id` / `user.email`
+- `name` ← `user.name`
+- `ip` ← `source.ip` (admin workstation; identity is in `user.*`, not source IP alone)
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | update |
+| source_field | `event.action` |
+| source_value | update |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | logexportconfigurations |
+| name | logexportconfigurations |
+| type | general |
+| sub_type | configuration_object |
+
+**Field sources:**
+- `id` / `name` ← `cisco.umbrella.audit.type`
+- Object state delta in `cisco.umbrella.audit.after_values` (`includeAuditLog: 1`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Administrator"] --> E["update"]
+  E --> T["Target: logexportconfigurations"]
+```
+
+### Example 2: AD user DNS query blocked
+
+**Stream:** `cisco_umbrella.log` · **Fixture:** `packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dnslogs.log-expected.json` (event 2)
+
+```
+elasticuser @ elastic machine → dns-request-Blocked → elastic.co
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | elasticuser |
+| name | elasticuser |
+| type | user |
+| ip | 192.168.1.1 |
+
+**Field sources:**
+- `id` / `name` ← `user.name` (identity script maps `AD Users` → `user.*`)
+- Endpoint context: `host.name` = `elastic machine` ← identity script (`Roaming Computers`)
+- `ip` ← `source.ip` (client before Umbrella resolver NAT at `source.nat.ip`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | dns-request-Blocked |
+| source_field | `event.action` |
+| source_value | dns-request-Blocked |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | elastic.co |
+| name | elastic.co |
+| type | general |
+| sub_type | dns_name |
+
+**Field sources:**
+- `id` / `name` ← `dns.question.name` (`elastic.co`)
+- Block context: `cisco.umbrella.blocked_categories` = `BlockedCategories`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: elasticuser"] --> E["dns-request-Blocked"]
+  E --> T["Target: elastic.co"]
+```
+
+### Example 3: IPS signature match (would-block mode)
+
+**Stream:** `cisco_umbrella.log` · **Fixture:** `packages/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-intrusionlogs.log-expected.json` (event 1)
+
+```
+172.17.3.4 → ips-Would-Block → 67.43.156.12:443
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 172.17.3.4 |
+| type | host |
+| ip | 172.17.3.4 |
+
+**Field sources:**
+- `id` / `ip` ← `source.ip`, `source.port` (33010)
+- Tunnel identity context (not primary actor): `network.name` = `Firewall Tunnel 1` ← `cisco.umbrella.identities` / identity script (`Network Tunnels`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ips-Would-Block |
+| source_field | `event.action` |
+| source_value | ips-Would-Block |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 67.43.156.12 |
+| name | SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt |
+| type | host |
+| ip | 67.43.156.12 |
+| geo | Bhutan |
+
+**Field sources:**
+- `id` / `ip` ← `destination.ip`, `destination.port` (443)
+- `name` ← `cisco.umbrella.message` (IPS signature description; `sid` 16606, `cves` cve-2009-1016)
+- `geo` ← `destination.geo.country_name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 172.17.3.4"] --> E["ips-Would-Block"]
+  E --> T["Target: 67.43.156.12:443"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (single `log` data stream, Tier A fixtures). Primary router: **`data_stream.dataset == "cisco_umbrella.log"`**; secondary discriminators: **`observer.type`** (`dns`, `proxy`, `firewall`, `idps`, `dlp`), **`event.category`** (`configuration` for auditlogs), and **`event.action`** prefixes (`dns-request-`, `proxy-request-`, `fw-connection-`, `ips-`, `dlp-`). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) are query-time helpers; **mapped columns use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so one populated sibling (e.g. `user.id` on dnslogs) does not block `host.ip` / `entity.target.*` fallbacks on empty columns (Pass 4 §10). Ingest does not populate ECS `*.target.*` today; fallbacks promote vendor/de-facto fields (`cisco.umbrella.audit.type`, `dns.question.name`, `destination.ip`, `network.application`, `file.name`) into `entity.target.*`, `host.target.*`, and `service.target.*`. Eight S3 log categories share one dataset — no streams excluded; category guards replace per-stream datasets.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role (`observer.type` / path) | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `cisco_umbrella.log` | DNS (`dns`) | user, host | general (dns_name) | partial |
+| `cisco_umbrella.log` | SWG/proxy (`proxy`) | host | general (url), host (session peer) | partial |
+| `cisco_umbrella.log` | Firewall / IP (`firewall`) | host | host (session peer) | partial |
+| `cisco_umbrella.log` | IPS (`idps`) | host | host (session peer), general (ips_signature) | partial |
+| `cisco_umbrella.log` | DLP (`dlp`) | general (network-segment) | general (file), service (application) | partial |
+| `cisco_umbrella.log` | Admin audit (`configuration`) | user | general (configuration_object) | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` (ingest) | `data_stream.dataset == "cisco_umbrella.log"` | high | **ingest-only — no ES\|QL** — auditlogs CSV; no alternate query-time source |
+| `user.name` | `user.name` (ingest) | `data_stream.dataset == "cisco_umbrella.log"` | high | **ingest-only — no ES\|QL** — identity script + grok on dnslogs |
+| `user.email` | `user.email` (ingest) | `data_stream.dataset == "cisco_umbrella.log"` | high | **ingest-only — no ES\|QL** — audit + dnslogs grok |
+| `host.name` | `host.name` (ingest) | `data_stream.dataset == "cisco_umbrella.log"` | high | **ingest-only — no ES\|QL** — roaming/device identity script on dnslogs |
+| `host.ip` | `host.ip` | `host.ip IS NOT NULL` | high | **preserve existing** — column-level |
+| `host.ip` | `source.ip` | `data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("dns", "proxy", "firewall", "idps", "dlp") AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL AND source.ip IS NOT NULL` | high | **vendor fallback** — flow origin when identity ECS empty (IPS, iplogs, proxy gap) |
+| `entity.name` | `entity.name` | `entity.name IS NOT NULL` | high | **preserve existing** — column-level |
+| `entity.name` | `network.name` | `data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL` | medium | **vendor fallback** — site/tunnel segment actor (dlplogs, intrusion tunnel context) |
+| `entity.type` | `entity.type` | `entity.type IS NOT NULL` | high | **preserve existing** — column-level |
+| `entity.type` | literal `"network-segment"` | same as `entity.name` fallback row | medium | **semantic literal** — general actor classification |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.id` | `entity.target.id` | `entity.target.id IS NOT NULL` | high | **preserve existing** — column-level |
+| `entity.target.id` | `cisco.umbrella.audit.type` | `data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration"` | high | **vendor fallback** — admin config object (Pass 3 Ex. 1) |
+| `entity.target.name` | `entity.target.name` | `entity.target.name IS NOT NULL` | high | **preserve existing** — column-level |
+| `entity.target.name` | `cisco.umbrella.audit.type` | `data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration"` | high | **vendor fallback** |
+| `entity.target.sub_type` | `entity.target.sub_type` | `entity.target.sub_type IS NOT NULL` | high | **preserve existing** — column-level |
+| `entity.target.sub_type` | literal `"configuration_object"` | `data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration"` | high | **semantic literal** |
+| `entity.target.id` | `dns.question.name` | `data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL` | high | **vendor fallback** — queried domain (Pass 3 Ex. 2) |
+| `entity.target.name` | `dns.question.name` | `data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL` | high | **vendor fallback** |
+| `entity.target.sub_type` | literal `"dns_name"` | `data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns"` | high | **semantic literal** |
+| `host.target.ip` | `host.target.ip` | `host.target.ip IS NOT NULL` | high | **preserve existing** — column-level |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "firewall", "idps", "dlp") AND destination.ip IS NOT NULL` | high | **de-facto destination.*** — session peer (Pass 3 Ex. 3) |
+| `host.target.name` | `host.target.name` | `host.target.name IS NOT NULL` | high | **preserve existing** — column-level |
+| `host.target.name` | `cisco.umbrella.message` | `data_stream.dataset == "cisco_umbrella.log" AND observer.type == "idps" AND cisco.umbrella.message IS NOT NULL` | high | **vendor fallback** — IPS signature label alongside `host.target.ip` |
+| `service.target.name` | `service.target.name` | `service.target.name IS NOT NULL` | high | **preserve existing** — column-level |
+| `service.target.name` | `network.application` | `data_stream.dataset == "cisco_umbrella.log" AND network.application IS NOT NULL` | high | **vendor fallback** — SaaS channel (dlplogs `dropbox`) |
+| `entity.target.name` | `file.name` | `data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL` | high | **vendor fallback** — inspected file |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` checks official actor ECS columns only — **`source.ip` is excluded** so flow-origin IP still falls through to `host.ip`. `target_exists` checks official `*.target.*` columns only (ingest does not populate them today).
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers for documentation and optional downstream use. Actor/target **`EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so dnslogs `user.id` does not block `host.ip` ← `source.ip` when `host.ip` is empty, and one populated `entity.target.name` does not block `host.target.ip` / `service.target.name` fallbacks (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.name IS NOT NULL, user.name, user.full_name, null)` (4 args — 3rd arg is a **condition**). Right: **3-arg** `CASE(host.ip IS NOT NULL, host.ip, source.ip)` or **5-arg** `CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "cisco_umbrella.log" AND source.ip IS NOT NULL, source.ip, null)`.
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+Ingest-populated `user.id`, `user.name`, `user.email`, and `host.name` are omitted here (no alternate query-time source).
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("dns", "proxy", "firewall", "idps", "dlp") AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL, network.name,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL, "network-segment",
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL, cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL, cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL, file.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration", "configuration_object",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns", "dns_name",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL, "file",
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "firewall", "idps", "dlp") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "idps" AND cisco.umbrella.message IS NOT NULL, cisco.umbrella.message,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND network.application IS NOT NULL, network.application,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR host.name IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = entity.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR service.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("dns", "proxy", "firewall", "idps", "dlp") AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL, network.name,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "cisco_umbrella.log" AND network.name IS NOT NULL AND user.id IS NULL AND user.name IS NULL AND host.name IS NULL, "network-segment",
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL, cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration" AND cisco.umbrella.audit.type IS NOT NULL, cisco.umbrella.audit.type,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL, file.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cisco_umbrella.log" AND event.category == "configuration", "configuration_object",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "dns", "dns_name",
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "dlp") AND file.name IS NOT NULL, "file",
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type IN ("proxy", "firewall", "idps", "dlp") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND observer.type == "idps" AND cisco.umbrella.message IS NOT NULL, cisco.umbrella.message,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cisco_umbrella.log" AND network.application IS NOT NULL, network.application,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, observer.type, event.action, user.id, user.name, host.ip, entity.name, entity.target.id, entity.target.name, host.target.ip, service.target.name
+```
+
+### Streams excluded
+
+*(none — single dataset; use `observer.type` / `event.category` guards per S3 log category)*
+
+### Gaps and limitations
+
+- **`user.id` / `user.name` / `user.email` / `host.name` actor EVAL omitted** — ingest-only; tautological `CASE(actor_exists, col, …, col, null)` removed per Pass 4 rule #10.
+- **Pass 4 CASE syntax (§10)** — actor/target `EVAL` use `CASE(<col> IS NOT NULL, <col>, …)` (5+ args with dataset guards); never `CASE(actor_exists, host.ip, …)` / `CASE(target_exists, host.target.ip, …)` when a sibling column sets the flag; pipeline fragment uses `IS NOT NULL` on fallback sources (`destination.ip`, `network.application`), not bare fields as 3rd args in 4-arg forms.
+- **`event.action` ES|QL block omitted** — seven categories already populate `event.action` at ingest; **iplogs** has no vendor action column (no defensible fallback).
+- **Proxy identity mapping gap** — singular `Roaming Computer` in vendor `identity_types` does not populate `host.name`; no defensible ES|QL fallback without ingest fix (`cisco.umbrella.identity` vendor-only).
+- **`url.*` targets** — SWG URL targets (`url.domain`, `url.original`) omitted; add `entity.target.*` when proxy URL normalization is required.
+- **`rule.id` / `rule.name`** — policy rule metadata omitted to avoid conflating with entity identity.
+- **`user.domain`** — not indexed; could derive from `user.email` when present.
+- **iplogs** — no `event.action`; actor/target are flow endpoints (`source.ip` / `destination.ip`) only.
+- **Audit SYSTEM actor** — null `user.*` on some creates; vendor blob only — omitted to avoid guessing.
+- **`entity.target.type` / `target.entity.type`** — omitted; `observer.type` + `entity.target.sub_type` literals are sufficient; never emit misnamed `target.entity.type`.
diff --git a/dev/domain/p1/citrix_waf.md b/dev/domain/p1/citrix_waf.md
new file mode 100644
index 00000000000..d5ad21a8825
--- /dev/null
+++ b/dev/domain/p1/citrix_waf.md
@@ -0,0 +1,496 @@
+# citrix_waf
+
+## Product Domain
+
+Citrix Web App Firewall (also known as NetScaler Web App Firewall or Citrix Application Firewall) is an enterprise web application firewall built into the Citrix ADC (Application Delivery Controller) platform, formerly branded as NetScaler. Rather than a standalone appliance, the WAF is a licensed feature of the ADC that inspects HTTP/HTTPS traffic at Layer 7 as part of the same platform that provides load balancing, SSL/TLS termination, and application delivery. Organizations deploy it in front of web applications, APIs, and internal web assets to filter malicious requests and responses before they reach backend servers.
+
+The WAF uses a hybrid security model combining negative controls (signature-based detection for known attacks such as SQL injection, cross-site scripting, and OWASP Top 10 threats) with positive controls (profiles and dynamic learning that define allowed application behavior and block deviations). Security is enforced through policies, profiles, and signature objects bound to protected virtual servers. Events are session-aware, tracking cookies, form fields, and per-session URLs, and can result in actions such as block, log, transform, or permit. The product is available across hardware, virtual (VPX), cloud, and containerized ADC form factors.
+
+Typical use cases include threat detection and response for web-based attacks, security posture assessment of WAF policy effectiveness, compliance and audit logging of web transactions, and operational troubleshooting to distinguish legitimate application issues from security-driven blocks. Security operations teams correlate WAF events with broader SIEM data to investigate blocked requests, tune policies, and maintain an audit trail of application-layer security activity.
+
+## Data Collected (brief)
+
+This integration collects Citrix Web App Firewall logs into a single **log** data stream via syslog (TCP or UDP) or log file input from Citrix ADC / NetScaler appliances. Logs are parsed from Common Event Format (CEF) or native Citrix format and include application firewall violations, signature matches, policy check results (e.g., start URL, field consistency, safe commerce), and audit events. Key fields cover security check names, WAF profile and session identifiers, event severity and action taken, HTTP request metadata (method, URL, request ID), client/source network details (IP, port, optional geolocation), and CEF device metadata. A pre-built Kibana dashboard provides overview visualizations for WAF activity.
+
+## Expected Audit Log Entities
+
+The integration has a single **log** data stream (`citrix_waf.log`) that ingests Citrix ADC / NetScaler syslog. **CEF APPFW** events (`citrix.cef_format: true`, `citrix.device_event_class_id: APPFW`) are the primary WAF audit trail — structured security-check violations with HTTP client, URL, profile, and enforcement action mapped to ECS. **Native-format** events cover the same APPFW checks plus audit-adjacent subsystems (SSL handshake logs, TCP connection lifecycle, ADC management **API**, and **AAA** authentication) where identity, action, and target details remain largely in `citrix.extended.message` / `citrix.detail` without ECS entity mapping.
+
+No ECS `*.target.*` fields are populated. `target-fields-audit` classifies this package as `none` (`target_enhancement_packages.csv`: no `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`). The package does not appear in `destination_identity_hits.csv` — pipelines never set `destination.user.*` or `destination.host.*`.
+
+**Event action:** `event.action` is populated **only for CEF APPFW** events via CEF `act` (enforcement disposition: `blocked`, `not blocked`, `transformed`). All native-format subsystems (APPFW, SSLLOG, TCP, API, AAA) leave `event.action` empty; the best action candidates are `citrix.name` (native header event name) and, for native APPFW, the trailing enforcement token (`<blocked>`) in `citrix.extended.message`. The security-check identifier `citrix.name` (e.g. `APPFW_STARTURL`, `APPFW_SIGNATURE_MATCH`) is distinct from enforcement disposition and is not copied to `event.action` today.
+
+### Event action (semantic)
+
+WAF events carry two action dimensions: (1) **enforcement disposition** — what the WAF did to the request (`blocked`, `not blocked`, `transformed`); (2) **security check / event type** — which check or subsystem fired (`APPFW_STARTURL`, `SSL_HANDSHAKE_SUCCESS`, `CMD_EXECUTED`). Only dimension (1) maps to `event.action` today, and only on the CEF path.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `blocked` | detection | high | CEF `act=blocked` → `event.action: "blocked"` in `test-citrix-waf-cef.log-expected.json` (APPFW_STARTURL, APPFW_SIGNATURE_MATCH fixtures) | **log / CEF APPFW** |
+| `not blocked` | detection | high | CEF `act=not blocked` → `event.action: "not blocked"` (APPFW_STARTURL, APPFW_FIELDCONSISTENCY, APPFW_SIGNATURE_MATCH fixtures) | **log / CEF APPFW** |
+| `transformed` | configuration_change | high | CEF `act=transformed` → `event.action: "transformed"` (APPFW_SAFECOMMERCE, APPFW_SAFECOMMERCE_XFORM fixtures) | **log / CEF APPFW** |
+| `APPFW_STARTURL` | detection | high | CEF header `citrix.name: "APPFW_STARTURL"` in all STARTURL fixtures; not mapped to `event.action` | **log / CEF APPFW** — security check name, not enforcement |
+| `APPFW_FIELDCONSISTENCY` | detection | high | CEF `citrix.name: "APPFW_FIELDCONSISTENCY"` | **log / CEF APPFW** |
+| `APPFW_SAFECOMMERCE` / `APPFW_SAFECOMMERCE_XFORM` | detection | high | CEF `citrix.name` in SAFECOMMERCE fixtures | **log / CEF APPFW** |
+| `APPFW_SIGNATURE_MATCH` | detection | high | CEF `citrix.name: "APPFW_SIGNATURE_MATCH"` + `citrix.signature_violation_category` | **log / CEF APPFW** |
+| `APPFW_cross-site scripting` (native) | detection | medium | `citrix.name: "APPFW_cross-site scripting"` in native APPFW XSS fixture; extended message ends with `<blocked>` | **log / native APPFW** — check name + inline enforcement token |
+| `SSL_HANDSHAKE_SUCCESS` | data_access | high | `citrix.name: "SSL_HANDSHAKE_SUCCESS"` in native SSLLOG fixture | **log / native SSLLOG** |
+| `CONN_DELINK` / `CONN_TERMINATE` | data_access | high | `citrix.name` in native TCP fixtures (`CONN_DELINK`, `CONN_TERMINATE`) | **log / native TCP** — connection lifecycle, not security enforcement |
+| `CMD_EXECUTED` | administration | high | `citrix.name: "CMD_EXECUTED"`; extended message `Command "logout"` in API fixture | **log / native API** |
+| Authentication rejected (AAA) | authentication | low | Extended message `"Authentication is rejected for sshah …"` in AAA fixture; `citrix.name` is generic `Message` | **log / native AAA** — auth outcome in free text, not structured action field |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `citrix.extended_kv.act` → `event.action` | yes (CEF APPFW only) | yes | `blocked`, `not blocked`, `transformed` | no | `cef.yml` L61–65: `act` rename to `event.action`; all 10 CEF fixtures in `test-citrix-waf-cef.log-expected.json` and `sample_event.json` |
+| `citrix.name` (CEF header) | no | n/a | `APPFW_STARTURL`, `APPFW_FIELDCONSISTENCY`, `APPFW_SIGNATURE_MATCH`, `APPFW_SAFECOMMERCE`, `APPFW_SAFECOMMERCE_XFORM` | yes — copy as secondary action or `event.type`/`rule.name` enrichment | CEF dissect in `cef.yml` L12; populated in all CEF fixtures; identifies security check, not enforcement |
+| `citrix.name` (native header) | no | n/a | `APPFW_cross-site scripting`, `SSL_HANDSHAKE_SUCCESS`, `CONN_DELINK`, `CONN_TERMINATE`, `CMD_EXECUTED`, `Message` | yes — primary native action candidate | `native.yml` L23 grok → `citrix.name`; all native fixtures |
+| `citrix.extended.message` enforcement token (native APPFW) | no | n/a | `blocked` (from trailing `<blocked>`) | yes — parse and map to `event.action` for parity with CEF | Native APPFW XSS fixture: `…"Bad tag: script" <blocked>` |
+| `citrix.extended.message` Command (native API) | no | n/a | `logout` (from `Command "logout"`) | yes — alternative to `citrix.name` for API events | Native API fixture: `Command "logout" - Status "Success"` |
+| `citrix.extended.message` auth text (native AAA) | no | n/a | `authentication-rejected` (inferred from message text) | yes — requires grok/dissect; low confidence due to generic `citrix.name: Message` | AAA rejection fixture: `"Authentication is rejected for sshah …"` |
+| `http.request.method` | no | n/a | `GET` | no — HTTP method is request context, not WAF action | CEF only; `cef.yml` L48–53 |
+| `event.type`, `event.category` | no | n/a | — | no | Not set in any pipeline or fixture |
+
+**Per-stream action summary (Step 2b):**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| log / CEF APPFW | yes | yes | `citrix.extended_kv.act` | high | `blocked`, `not blocked`, `transformed` in all CEF fixtures |
+| log / native APPFW | no | no | `citrix.name` + `<blocked>` in `citrix.extended.message` | medium | `APPFW_cross-site scripting`, trailing `<blocked>` |
+| log / native SSLLOG | no | no | `citrix.name` | high | `SSL_HANDSHAKE_SUCCESS` |
+| log / native TCP | no | no | `citrix.name` | high | `CONN_DELINK`, `CONN_TERMINATE` |
+| log / native API | no | no | `citrix.name` (`CMD_EXECUTED`) or `Command` in extended message | high | `CMD_EXECUTED`, `Command "logout"` |
+| log / native AAA | no | no | auth outcome text in `citrix.extended.message` | low | `"Authentication is rejected for sshah …"`; `citrix.name: Message` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| HTTP client (WAF violator) | host | — | high | CEF `src`/`spt` → `source.ip`/`source.port` (`cef.yml`); all 10 CEF fixtures in `test-citrix-waf-cef.log-expected.json` and `sample_event.json` (e.g. `source.ip: "175.16.199.1"`, `source.port: 54711`) | **log / CEF APPFW** only |
+| HTTP client (native APPFW) | host | — | medium | Client IP embedded in `citrix.extended.message` (e.g. `175.16.199.1` leading token in native APPFW XSS fixture); `native.yml` does not map to `source.*` | **log / native APPFW** |
+| TLS client | host | — | medium | `ClientIP 172.25.184.157` in `citrix.extended.message` (`test-citrix-waf-native.log-expected.json`, `SSLLOG SSL_HANDSHAKE_SUCCESS`) | **log / native SSLLOG** |
+| TCP connection initiator | host | — | medium | `Source 192.168.10.10:52187` in extended message (`TCP CONN_DELINK` fixture) | **log / native TCP** |
+| ADC administrator (API caller) | user | — | high | `User - ADM_User` in extended message (`API CMD_EXECUTED` fixture) | **log / native API** |
+| Authenticating user (AAA rejection) | user | — | low | Username `sshah` in free text: `"Authentication is rejected for sshah (client ip : 81.2.69.144 …)"` (`AAA Message` fixture) | **log / native AAA** (some AAA messages have no user actor, e.g. `sslvpn_aaad_login_handler`) |
+| Anonymous HTTP session | general | session | high | `citrix.session_id` ← CEF `cs3` (e.g. `IliG4Dxp1SjOhKVRDVBXmqvAaIcA000` in `sample_event.json`); session cookie ID, not a named principal | **log / CEF APPFW** |
+
+**Not an actor:** `client.ip` is the syslog-sending ADC appliance IP parsed from the syslog header (`default.yml` grok `%{IP:client.ip:ip}`), not the HTTP/TLS client. `citrix.host` is the ADC hostname in native headers. `citrix.ppe_id` identifies the packet-processing engine, not a security principal.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.ip` | HTTP client IP (WAF actor) | yes (CEF only) | yes | high | `cef.yml`: `citrix.extended_kv.src` → `source.ip`; populated in all CEF fixtures, absent in native APPFW fixtures |
+| `source.port` | HTTP client port | yes (CEF only) | yes | high | `cef.yml`: `citrix.extended_kv.spt` → `source.port` |
+| `source.geo.*`, `source.as.*` | Geo/ASN enrichment of HTTP client | yes (CEF only) | yes | high | `default.yml` geoip on `source.ip` after CEF pipeline |
+| `client.ip` | Syslog sender (ADC appliance) | yes | n/a | high | `default.yml` grok; always `81.2.69.144` in fixtures — collector context, not WAF actor |
+| `client.geo.*`, `client.as.*` | Geo/ASN of ADC syslog sender | yes | n/a | high | `default.yml` geoip on `client.ip` |
+| `citrix.session_id` | Anonymous HTTP session identifier | yes (CEF only) | yes | high | `cef.yml`: `cs3` → `citrix.session_id`; vendor-only, not mapped to ECS user |
+| `citrix.extended.message` | Unstructured actor hints (native) | yes (native) | n/a | medium | Native APPFW client IP, API `User - ADM_User`, AAA username, SSL `ClientIP`, TCP `Source` — all vendor-only |
+| `citrix.host` | ADC hostname (log source) | yes (native) | n/a | high | Parsed in `native.yml` HEADER grok; observer context, not event actor |
+| `user.*`, `source.user.*`, `client.user.*` | — | no | n/a | — | Declared in `ecs.yml` but never populated in `sample_event.json` or pipeline fixtures |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / appliance | Citrix ADC WAF subsystem enforcing the check | Citrix NetScaler Application Firewall (`APPFW`) | service | — | high | CEF header: `citrix.device_product: "NetScaler"`, `citrix.device_event_class_id: "APPFW"`, `citrix.device_vendor: "Citrix"`; native APPFW same class ID | CEF + native APPFW |
+| 1 — Platform / appliance | ADC SSL termination subsystem | SSL virtual server / TLS endpoint | service | — | medium | `VserverServiceIP 10.254.14.94 - VserverServicePort 443` in native SSLLOG extended message | **log / native SSLLOG** |
+| 1 — Platform / appliance | ADC management plane | Citrix ADC REST/API | service | — | high | `device_event_class_id: API`, `Command "logout"` in extended message | **log / native API** |
+| 1 — Platform / appliance | ADC authentication virtual server | AAA vserver | service | — | medium | `vserver ip: 192.168.10.10` in AAA rejection message | **log / native AAA** |
+| 2 — Resource / object | Protected web application (virtual server + URL) | Backend web app at requested URL | service | — | high | CEF: `url.domain`, `url.path`, `url.scheme` from `request` via `cef.yml` + `uri_parts` in `default.yml` (e.g. `url.domain: "vpx247.example.net"`, `url.path: "/FFC/login_post.html"`) | **log / CEF APPFW** |
+| 2 — Resource / object | Protected web application (native) | Request URL in unstructured message | service | — | medium | `http://aaron.stratum8.net/FFC/login.php?…` in native APPFW extended message; not parsed to `url.*` | **log / native APPFW** |
+| 2 — Resource / object | WAF security profile / policy | Named WAF profile bound to vserver | general | waf_profile | high | `citrix.profile_name` ← CEF `cs1` (e.g. `"profile1"`, `"pr_ffc"`) | **log / CEF APPFW** |
+| 2 — Resource / object | WAF security check | Named check that fired | general | security_check | high | `citrix.name` (e.g. `APPFW_STARTURL`, `APPFW_SIGNATURE_MATCH`, `APPFW_FIELDCONSISTENCY`) | CEF + native APPFW |
+| 2 — Resource / object | Signature violation category | Signature rule grouping | general | signature_category | high | `citrix.signature_violation_category` ← CEF `cs6` (signature-match events in CEF fixtures) | **log / CEF APPFW** (signature events) |
+| 2 — Resource / object | ADC virtual server (TCP) | Front-end vserver IP:port | service | — | medium | `Vserver 81.2.69.144:80` in native TCP `CONN_DELINK` extended message | **log / native TCP** |
+| 2 — Resource / object | Backend server (TCP) | Destination endpoint behind ADC | host | — | medium | `Destination 192.168.10.51:35341` in native TCP `CONN_TERMINATE` extended message | **log / native TCP** |
+| 3 — Content / artifact | HTTP transaction instance | Specific request being inspected | general | http_transaction | high | `http.request.id` ← CEF `cn2`, `http.request.method` ← CEF `method` | **log / CEF APPFW** |
+| 3 — Content / artifact | Violation detail message | Human-readable check failure text | general | violation_message | high | `message` ← CEF `msg` (e.g. `"Disallow Illegal URL."`, `"Field consistency check failed for field passwd"`) | **log / CEF APPFW** |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `url.original`, `url.domain`, `url.path`, `url.scheme`, `url.query` | 2 | service | yes (CEF only) | yes | context-only (`url.*` is request target, not `service.target.*`) | yes → `service.target.entity.id` or dedicated URL target field | `cef.yml` `request` → `url.original`; `default.yml` `uri_parts`; e.g. `url.domain: "aaron.stratum8.net"` in CEF fixtures |
+| `citrix.profile_name` | 2 | general (waf_profile) | yes (CEF only) | yes | n/a (vendor-only) | yes → `service.target.name` or custom entity | `cef.yml`: `cs1` → `citrix.profile_name` |
+| `citrix.name` | 2 | general (security_check) | yes | yes | n/a (vendor-only) | yes → could enrich `event.action` (check name) or rule metadata | CEF dissect + native grok; e.g. `APPFW_SIGNATURE_MATCH`, `APPFW_cross-site scripting` |
+| `citrix.signature_violation_category` | 2 | general (signature_category) | yes (CEF only) | yes | n/a (vendor-only) | yes → rule/threat taxonomy field | `cef.yml`: `cs6` → `citrix.signature_violation_category` |
+| `http.request.id`, `http.request.method` | 3 | general (http_transaction) | yes (CEF only) | yes | context-only | no | `cef.yml`: `cn2` → `http.request.id`, `method` → `http.request.method` |
+| `message` | 3 | general (violation_message) | yes (CEF only) | yes | context-only | no | `cef.yml`: `msg` → `message` |
+| `citrix.device_product`, `citrix.device_event_class_id` | 1 | service | yes | yes | context-only | no | CEF dissect header fields; identify NetScaler APPFW subsystem |
+| `citrix.extended.message` (native URL/vserver) | 2 | service / host | yes (native) | n/a | n/a (unparsed) | yes — parse native APPFW URL to `url.*`; TCP Destination/Vserver to `destination.*` or `host.target.*` | Native fixtures: APPFW URL, SSL vserver IP, TCP Source/Destination/Vserver all vendor-only |
+| `destination.*`, `user.target.*`, `host.target.*`, `service.target.*` | — | — | no | n/a | — | n/a | Not set in any pipeline; `target_enhancement_packages.csv`: `citrix_waf,none` |
+
+### Gaps and mapping notes
+
+- **CEF vs native split:** Only CEF APPFW events get structured ECS actor (`source.ip`/`source.port`), target (`url.*`, `http.request.*`), and action (`event.action`) fields. Native APPFW, SSL, TCP, API, and AAA events retain identity and action in `citrix.extended.message` — the richest source for enhancement but unparsed today.
+- **`event.action` gaps:** CEF APPFW maps enforcement disposition (`blocked`, `not blocked`, `transformed`) correctly via `act`. Native subsystems have no `event.action` — recommend mapping `citrix.name` as primary candidate (`SSL_HANDSHAKE_SUCCESS`, `CMD_EXECUTED`, `CONN_DELINK`); for native APPFW, also parse trailing `<blocked>` / enforcement token for parity with CEF. Security check name (`citrix.name` e.g. `APPFW_STARTURL`) is not copied to `event.action` on any path — consider as complementary field or rule metadata, not a replacement for enforcement disposition.
+- **No official ECS target fields:** Protected application URL (`url.*`) and WAF profile (`citrix.profile_name`) semantically represent targets but sit in context/vendor namespaces. No `*.target.*` or `destination.*` mapping exists; aligns with `target_enhancement_packages.csv` (`none`).
+- **`client.ip` conflation risk:** Always the ADC syslog sender, not the HTTP client. Analysts must use `source.ip` (CEF) or parse `citrix.extended.message` (native) for the true WAF actor endpoint.
+- **Admin/API actor unmapped:** Native `API CMD_EXECUTED` exposes `User - ADM_User` in vendor message with no `user.name` mapping — enhancement candidate for ADC admin audit correlation.
+- **AAA dual semantics:** Some AAA messages name a user actor (`sshah` rejection); others are subsystem diagnostics (`sslvpn_aaad_login_handler`, `ns_aaa_login_handler`) with no distinct actor beyond the ADC itself. Auth outcome is action-relevant but only in free text.
+- **TCP native events:** `Source`/`Destination`/`Vserver` in extended message are network-session peers and virtual-server endpoints — could map to `source.*`/`destination.*` for session telemetry but are not audit-target fields today.
+- **ECS declarations without population:** `ecs.yml` lists `user.*`, `source.user.*`, `client.user.*`, `server.*`, and `observer.*` but no pipeline step or fixture populates them for this package.
+
+### Per-stream notes
+
+**log / CEF APPFW** — Primary WAF audit path. Nine distinct security checks in fixtures: `APPFW_STARTURL`, `APPFW_FIELDCONSISTENCY`, `APPFW_SAFECOMMERCE`, `APPFW_SIGNATURE_MATCH`, `APPFW_SAFECOMMERCE_XFORM`. Actor = HTTP client at `source.ip`; target Layer 2 = `url.*` + `citrix.profile_name`; Layer 3 = `http.request.id` + `message`. Action = `event.action` enforcement disposition (`blocked`, `not blocked`, `transformed`); security check name in `citrix.name` (not mapped to `event.action`).
+
+**log / native APPFW** — Same WAF semantics as CEF but unstructured. Actor host IP and target URL only in `citrix.extended.message`. No `source.ip`, `url.*`, or `event.action` in fixtures. Action candidates: `citrix.name` (`APPFW_cross-site scripting`) + `<blocked>` enforcement token in extended message.
+
+**log / native SSLLOG, TCP** — Connection/session telemetry (TLS handshake success, connection delink/terminate). Audit-adjacent; actor/target identity in extended message only (`ClientIP`, `VserverServiceIP`, `Source`, `Destination`). Action candidate: `citrix.name` (`SSL_HANDSHAKE_SUCCESS`, `CONN_DELINK`, `CONN_TERMINATE`).
+
+**log / native API, AAA** — ADC management and authentication audit-adjacent logs. API events have a clear **user** admin actor in vendor text; action candidate `citrix.name: CMD_EXECUTED` or `Command "logout"`. AAA mix of user rejection events and subsystem handler messages; action only in free text (`Authentication is rejected for sshah`).
+
+## Example Event Graph
+
+Examples below come from the single `citrix_waf.log` data stream. CEF APPFW events are true WAF audit logs with structured ECS actor, action, and target fields; native-format subsystems (APPFW, API, AAA, SSL, TCP) are audit-adjacent and retain identity in `citrix.extended.message`.
+
+### Example 1: CEF start-URL violation (logged, not blocked)
+
+**Stream:** `citrix_waf.log` · **Fixture:** `packages/citrix_waf/data_stream/log/sample_event.json`
+
+```
+HTTP client (175.16.199.1) → not blocked → vpx247.example.net/FFC/login_post.html
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 175.16.199.1 |
+| type | host |
+| geo | Changchun, CN |
+| ip | 175.16.199.1 |
+
+**Field sources:**
+
+- `id ← source.ip`
+- `geo ← source.geo.city_name, source.geo.country_name`
+- `ip ← source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | not blocked |
+| source_field | `event.action` |
+| source_value | not blocked |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 535 |
+| name | vpx247.example.net/FFC/login_post.html |
+| type | service |
+| sub_type | protected_web_app |
+
+**Field sources:**
+
+- `id ← http.request.id`
+- `name ← url.domain, url.path`
+- `sub_type ← semantic (protected web application behind WAF virtual server)`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 175.16.199.1"] --> E["not blocked"]
+  E --> T["Target: vpx247.example.net/FFC/login_post.html"]
+```
+
+### Example 2: CEF signature match (blocked)
+
+**Stream:** `citrix_waf.log` · **Fixture:** `packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json` (APPFW_SIGNATURE_MATCH, `act=blocked`)
+
+```
+HTTP client (175.16.199.1) → blocked → aaron.stratum8.net/FFC/wwwboard/passwd.txt
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 175.16.199.1 |
+| type | host |
+| geo | Changchun, CN |
+| ip | 175.16.199.1 |
+
+**Field sources:**
+
+- `id ← source.ip`
+- `geo ← source.geo.city_name, source.geo.country_name`
+- `ip ← source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | blocked |
+| source_field | `event.action` |
+| source_value | blocked |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 841 |
+| name | aaron.stratum8.net/FFC/wwwboard/passwd.txt |
+| type | service |
+| sub_type | protected_web_app |
+
+**Field sources:**
+
+- `id ← http.request.id`
+- `name ← url.domain, url.path`
+- `sub_type ← semantic (protected web application; signature category `web-cgi` in `citrix.signature_violation_category` describes the matched rule, not the target entity)`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 175.16.199.1"] --> E["blocked"]
+  E --> T["Target: aaron.stratum8.net/FFC/wwwboard/passwd.txt"]
+```
+
+### Example 3: Native API admin command (audit-adjacent)
+
+**Stream:** `citrix_waf.log` · **Fixture:** `packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json` (API CMD_EXECUTED)
+
+```
+ADC administrator (ADM_User) → CMD_EXECUTED → Citrix ADC management API
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | ADM_User |
+| type | user |
+
+**Field sources:**
+
+- `name ← citrix.extended.message` (`User - ADM_User`; not mapped to `user.name` today)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | CMD_EXECUTED |
+| source_field | `citrix.name` |
+| source_value | CMD_EXECUTED |
+
+Action derived from native header event name; **not mapped to ECS `event.action` today**. The executed command (`logout`) appears only in `citrix.extended.message`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Citrix ADC management API |
+| type | service |
+
+**Field sources:**
+
+- `name ← semantic (citrix.device_event_class_id: API; Command "logout" in citrix.extended.message)`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: ADM_User"] --> E["CMD_EXECUTED"]
+  E --> T["Target: Citrix ADC management API"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (single `log` data stream, Tier A fixtures). Router: `data_stream.dataset == "citrix_waf.log"`. Secondary discriminators: `citrix.cef_format`, `citrix.device_event_class_id`, `citrix.name`. **CEF APPFW** events already populate `source.ip`, `url.*`, `http.request.*`, and `event.action` (enforcement disposition); Pass 4 fills normalized `host.*` / `*.target.*` columns without overwriting ingest values. **Native-format** subsystems (APPFW, SSL, TCP, API, AAA) get partial fallbacks only where fixtures support a field path or Pass 3 semantic literals apply. **Pass 4 (tautology cleanup):** mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, fallback, null)` — not `CASE(actor_exists, host.ip, …, host.ip, null)` when `actor_exists` is true from `source.ip` while `host.ip` is still empty (Pass 4 §10). No ECS `*.target.*` at ingest; preserve branches use per-column `IS NOT NULL`, not blind `target_exists` on empty target columns.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `citrix_waf.log` (CEF APPFW) | WAF audit | host | service (protected URL) | full |
+| `citrix_waf.log` (native API) | admin audit-adjacent | user | service | partial |
+| `citrix_waf.log` (native APPFW/SSL/TCP/AAA) | telemetry / auth-adjacent | host, user | service, host | partial / none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.ip` | `source.ip` | `data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND source.ip IS NOT NULL AND host.ip IS NULL` | high | **vendor fallback** — HTTP client indexed as `source.ip` (CEF `src`); column-level preserve on `host.ip` |
+| `user.name` | `"ADM_User"` | `data_stream.dataset == "citrix_waf.log" AND citrix.name == "CMD_EXECUTED" AND user.name IS NULL` | low | **semantic literal** — native API fixture only; username not in `user.name` today |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.id` | `http.request.id` | `data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND http.request.id IS NOT NULL AND service.target.id IS NULL` | high | **vendor fallback** — Pass 3 Example 1–2; no ingest `*.target.*` |
+| `service.target.name` | `CONCAT(url.domain, url.path)` | `data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL AND service.target.name IS NULL` | high | **vendor fallback** — protected web app (domain + path) |
+| `service.target.name` | `"Citrix ADC management API"` | `data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "API" AND service.target.name IS NULL` | low | **semantic literal** — Pass 3 Example 3 |
+| `service.target.name` | `"Citrix NetScaler APPFW"` | `data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "APPFW" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false) AND service.target.name IS NULL` | low | **semantic literal** — native APPFW subsystem (Layer 1) |
+| `entity.target.type` | `"service"` | `data_stream.dataset == "citrix_waf.log" AND (TO_BOOLEAN(citrix.cef_format) == true OR citrix.device_event_class_id IN ("API", "APPFW")) AND entity.target.type IS NULL` | medium | classification helper — column-level preserve |
+| `entity.target.sub_type` | `"protected_web_app"` | `data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL AND entity.target.sub_type IS NULL` | low | **semantic literal** — Pass 3 CEF WAF examples |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `event.action IS NOT NULL` | high | **preserve existing** — CEF `act` → `event.action` at ingest |
+| `event.action` | `citrix.name` | `data_stream.dataset == "citrix_waf.log" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false) AND citrix.name IS NOT NULL AND event.action IS NULL` | high | **vendor fallback** — native subsystems only; never replace CEF enforcement disposition |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` includes `source.ip` because this integration maps the HTTP client to `source.*`, not `host.ip`, at ingest time. Mapped actor/target/action columns below use **column-level** `IS NOT NULL` preserve (Pass 4 §10), not blind `CASE(actor_exists, host.ip, …)` when `source.ip` alone is set.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(host.ip IS NOT NULL, host.ip, source.ip, null)` (4 args — `source.ip` is a **condition**, not a value). Wrong: `CASE(actor_exists, host.ip, source.ip, null)` (same). Right: **5-arg** `CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND source.ip IS NOT NULL, source.ip, null)`. **9-arg** when multiple target fallbacks apply (`service.target.name`). Do not use `CASE(actor_exists|target_exists|action_exists, <col>, …)` as the first branch on mapped columns.
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR source.ip IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL
+    OR entity.target.type IS NOT NULL OR entity.target.sub_type IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "citrix_waf.log" AND citrix.name == "CMD_EXECUTED", "ADM_User",
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "citrix_waf.log" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false) AND citrix.name IS NOT NULL, citrix.name,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND http.request.id IS NOT NULL, http.request.id,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL, CONCAT(url.domain, url.path),
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "API", "Citrix ADC management API",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "APPFW" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false), "Citrix NetScaler APPFW",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true, "service",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id IN ("API", "APPFW"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL, "protected_web_app",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR source.ip IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL
+    OR entity.target.type IS NOT NULL OR entity.target.sub_type IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "citrix_waf.log" AND citrix.name == "CMD_EXECUTED", "ADM_User",
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "citrix_waf.log" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false) AND citrix.name IS NOT NULL, citrix.name,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND http.request.id IS NOT NULL, http.request.id,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL, CONCAT(url.domain, url.path),
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "API", "Citrix ADC management API",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id == "APPFW" AND (citrix.cef_format IS NULL OR TO_BOOLEAN(citrix.cef_format) == false), "Citrix NetScaler APPFW",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true, "service",
+    data_stream.dataset == "citrix_waf.log" AND citrix.device_event_class_id IN ("API", "APPFW"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "citrix_waf.log" AND TO_BOOLEAN(citrix.cef_format) == true AND url.domain IS NOT NULL, "protected_web_app",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, citrix.name, host.ip, source.ip, service.target.id, service.target.name, entity.target.type, entity.target.sub_type, message
+```
+
+### Streams excluded
+
+*(none — single `citrix_waf.log` dataset; native APPFW/SSL/TCP/AAA lack structured fields for full extraction — see Gaps)*
+
+### Gaps and limitations
+
+- **Native APPFW/SSL/TCP/AAA** — actor/target identity in unparsed `citrix.extended.message`; no fixture-grounded ES|QL paths except `citrix.name` → `event.action` and API/APPFW semantic `service.target.name` literals.
+- **`citrix.profile_name`** — WAF profile target (Pass 2 Layer 2) omitted when `url.*` is present to avoid competing with Pass 3 protected-URL target on the same event.
+- **`citrix.name` on CEF** — security check name; must not replace ingest `event.action` (`blocked` / `not blocked` / `transformed`); `action_exists` preserves CEF disposition.
+- **`client.ip`** — syslog sender (ADC appliance), not HTTP client; never map as actor.
+- **`user.name` on API events** — admin username only in vendor message today; literal until pipeline maps `citrix.extended.message`.
+- **AAA authentication rejection** — username `sshah` in free text only; omit `user.*` actor columns.
+- **`host.target.*` / TCP `Destination`** — unparsed in native fixtures; no de-facto `destination.*` mapping in package.
+- **Alignment with Pass 2** — package classified `target_enhancement_packages.csv: none`; query-time `*.target.*` fills graph columns only, not ingest ECS target fields.
+- **Pass 4 CASE syntax** — actor/action/target blocks and the full pipeline fragment use odd-arity `CASE` (condition/value pairs + trailing `null`); column-level **5-arg** / **7-arg** / **9-arg** preserve (`<col> IS NOT NULL` first branch). Never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` or `CASE(actor_exists|target_exists|action_exists, <col>, …)` (bare field parses as a condition). `actor_exists` / `target_exists` / `action_exists` are helpers only. Fragment aligned with combined `EVAL` blocks.
+- **Pass 4 tautology cleanup (§10)** — `host.ip` uses `source.ip` fallback with column-level preserve (not `CASE(actor_exists, host.ip, …)` when `source.ip` alone is set); `user.name` / `*.target.*` / `event.action` use per-column `IS NOT NULL` preserve; no `CASE(col, col, …)` identity branches.
diff --git a/dev/domain/p1/corelight.md b/dev/domain/p1/corelight.md
new file mode 100644
index 00000000000..cf61e603ce0
--- /dev/null
+++ b/dev/domain/p1/corelight.md
@@ -0,0 +1,532 @@
+# corelight
+
+## Product Domain
+
+Corelight is a network detection and response (NDR) platform built on open-source network security monitoring (NSM) foundations—primarily Zeek (formerly Bro) for deep protocol analysis and Suricata for signature-based intrusion detection. Corelight sensors are deployed passively on network taps or SPAN ports to inspect live traffic, reconstruct application-layer sessions, and emit high-fidelity metadata about connections, protocols, files, and security-relevant behaviors without inline blocking.
+
+As an NSM platform, Corelight goes beyond simple flow logging by parsing dozens of protocols at line speed and generating structured Zeek logs for DNS, HTTP, TLS, SSH, RDP, VPN, files, software inventory, and custom notices. Corelight augments Zeek with proprietary analytics such as SSH/RDP/VPN inferences, threat-intel matching, and Suricata IDS alert enrichment. Security teams use Corelight for threat hunting, incident investigation, compliance visibility, and feeding SIEM platforms with normalized network telemetry across on-premises and cloud environments.
+
+The Elastic integration does not ingest data via Elastic Agent; Corelight sensors export logs directly to Elasticsearch using Corelight-maintained ECS mappings (index templates, ingest pipelines, and ILM policies). The integration package installs Kibana dashboards that visualize the exported `logs-corelight-*` data for security posture assessment, log hunting, IP interrogation, and protocol-specific analysis workflows.
+
+## Data Collected (brief)
+
+Corelight sensors export Zeek and Suricata telemetry directly to Elasticsearch (Sensor > Export > Export to Elastic) after installing [Corelight ECS templates](https://github.com/corelight/ecs-templates). This integration provides **dashboards only**—no Elastic Agent data streams—and expects data in `logs-corelight-*` indices mapped to ECS.
+
+Typical log types (`event.dataset`) include **conn** (connection metadata), **dns**, **http**, **tls** / **x509** (SSL and certificate details), **files** (extracted file hashes and MIME metadata), **software**, **notice** (Zeek security notices), **intel** (indicator matches), **ssh** / **rdp** / **vpn** (with Corelight inferences), **suricata_corelight** (Suricata IDS alerts with rule signature metadata), and AWS VPC flow logs. Events carry source/destination endpoints, network protocol details, observer/sensor identity, and Zeek- or Suricata-specific fields under ECS-aligned namespaces. Bundled dashboards cover connections, DNS, HTTP, SSL/x509, files, software, notices, intel, remote-access inferences, Suricata alerts, VPN activity, and security posture.
+
+## Expected Audit Log Entities
+
+Evidence is from `packages/corelight/docs/README.md`, bundled dashboards under `packages/corelight/kibana/dashboard/`, and saved searches under `packages/corelight/kibana/search/`. This integration is **dashboards-only**—Corelight sensors export Zeek/Suricata telemetry directly to `logs-corelight-*` via [Corelight ECS templates](https://github.com/corelight/ecs-templates) maintained outside this repo; there are no Elastic Agent data streams, ingest pipelines, or package test fixtures here.
+
+Log types (`event.dataset`) include **conn**, **dns**, **http**, **tls** / **x509**, **files**, **software**, **notice**, **intel**, **ssh**, **rdp**, **vpn**, **suricata_corelight**, and AWS VPC flow enrichment on conn (`capture_source: vpcflow`). These are **network security monitoring (NSM) telemetry** and audit-adjacent security events (notices, Suricata alerts, intel matches)—not identity-centric audit logs. There is no authenticated user principal in dashboard field usage.
+
+ECS `*.target.*` fields are **not populated** (no row in `target_fields_audit.csv`). `destination.user.*` / `destination.host.*` are **not used** (absent from `destination_identity_hits.csv` and all dashboard ES\|QL). `target_enhancement_packages.csv` classifies corelight as **none**. Actor and target are inferred from flow direction (`source.*`/`destination.*`), Zeek originator/responder semantics (`conn.local_orig`/`conn.local_resp`, `files.tx_hosts`/`files.rx_hosts`), well-known ports, inference tags, and rule/notice metadata.
+
+**`event.action` is absent from all dashboard ES\|QL and saved searches** — no `event.action` field reference anywhere under `packages/corelight/`. Ingest pipelines live in [Corelight ECS templates](https://github.com/corelight/ecs-templates) / [ecs-mapping](https://github.com/corelight/ecs-mapping) (external); per-stream action semantics are carried by `event.dataset`, protocol fields, Zeek notice classes, Suricata rule metadata, and inference tags instead. See Event action sections below.
+
+| Stream (`event.dataset`) | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **conn** | no | unverifiable (external) | `network.protocol` + `network.transport` (connection observed) | medium | Connections dashboard filters `event.dataset: conn`, charts `network.protocol`/`source.ip`/`destination.ip` (`corelight-eff0434c-*.json`) |
+| **conn** (vpcflow) | no | unverifiable | `capture_source: vpcflow` + `network.direction` (VPC flow accepted/rejected) | medium | AWS VPC Flow dashboard filters `capture_source: vpcflow`, ES\|QL on `network.direction` (`corelight-caf92ff9-*.json`) |
+| **dns** | no | unverifiable | `dns.question.type` + `dns.response_code` (e.g. `A`, `NXDOMAIN`) | high | DNS dashboard ES\|QL on `dns.question.type`, `dns.response_code`, `dns.question.name` (`corelight-58885f47-*.json`, `corelight-8546a96c-*.json`) |
+| **http** | no | unverifiable | `http.request.method` (+ optional `url.path`) | high | HTTP dashboard control on `http.request.method`; IP Interrogation ES\|QL `GET` + URI (`corelight-8c5f15f7-*.json`, `corelight-3a4a279f-*.json`) |
+| **tls** / **x509** | no | unverifiable | TLS handshake / certificate observation (`ssl.validation_status`, `tls.cipher`) | medium | SSL and x509 / Secure Channel Insights dashboards (`corelight-e4a93cfe-*.json`, `corelight-45197477-*.json`) |
+| **files** | no | unverifiable | file transfer observed (`files.tx_hosts`/`files.rx_hosts`) | medium | Files dashboard "Top Transmitting/Receiving Hosts" (`corelight-0cfc8a95-*.json`) |
+| **software** | no | unverifiable | — (no per-event action; inventory sync) | high | Software dashboard on `host_header` + `software.name`/`software.type` — state snapshot, not verb (`corelight-40bbc19b-*.json`) |
+| **notice** | no | unverifiable | `notice.note` (Zeek notice class, e.g. `SSL::Certificate_Expired`, `ATTACK::*`, `MeterpreterDetection::Meterpreter_Detected`) | high | Notices dashboard ES\|QL groups by `notice.note`, `notice.message` (`corelight-f7da14f0-*.json`, `corelight-7c0946bc-*.json`) |
+| **intel** | no | unverifiable | threat-intel match (`intel.seen.indicator` + `intel.seen.where`) | high | Intel dashboard ES\|QL on `intel.seen.indicator`, `intel.seen.indicator_type`, `intel.seen.where` (`corelight-323b0f27-*.json`) |
+| **ssh** | no | unverifiable | SSH session + `ssh.inferences` (PKA, KS, AUTO, CTS) | high | SSH Inferences Overview ES\|QL on `ssh.inferences`, `ssh.hassh` (`corelight-45197477-*.json`, `corelight-65a5fa91-*.json`) |
+| **rdp** | no | unverifiable | `rdp.result` (`Success`, `SSL_NOT_ALLOWED_BY_SERVER`) + `event.outcome` | high | RDP Inferences / Remote Activity dashboards filter `rdp.result`, `event.outcome` (`corelight-f4864774-*.json`, `corelight-2d4dc345-*.json`) |
+| **vpn** | no | unverifiable | `vpn.inferences` (RW, FW, COM, NSP, SK) + `vpn.name` | high | VPN Insights ES\|QL on `vpn.inferences`, `vpn.name` (`corelight-023162b6-*.json`, `corelight-f4864774-*.json`) |
+| **suricata_corelight** | no | unverifiable | `rule.name` + `rule.signature_id` (IDS signature triggered) | high | Suricata IDS Alert Overview ES\|QL on `rule.name`, `rule.signature_id`, `event.severity` (`corelight-f1208ffe-*.json`) |
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| Network connection observed | connection | high | `network.protocol`, `network.transport`, `source.ip`/`destination.ip` on conn events | **conn** — default NSM "what happened" |
+| VPC flow accepted/rejected | connection | medium | `capture_source: vpcflow`, `network.direction`, cloud instance fields | **conn** (vpcflow enrichment) |
+| DNS query / response | data_access | high | `dns.question.type` (`A`, `PTR`, `AXFR`, …), `dns.response_code` (`NXDOMAIN`, …) | **dns** |
+| HTTP request observed | data_access | high | `http.request.method` with `url.path` | **http** |
+| TLS handshake / certificate check | data_access | medium | `tls.server.subject`, `ssl.validation_status`, `tls.cipher` | **tls**, **x509** |
+| File transfer observed | data_access | medium | `files.tx_hosts`/`files.rx_hosts`, `file.name`/`file.hash.sha256` | **files** |
+| Software package detected | — | high | `software.name`/`software.type`/`software.version.*` on `host_header` | **software** — inventory sync; no per-event verb |
+| Zeek security notice raised | detection | high | `notice.note` e.g. `SSL::Certificate_Expired`, `SSL::Invalid_Server_Cert`, `ATTACK::*`, `MeterpreterDetection::Meterpreter_Detected` | **notice** |
+| Threat-intel indicator matched | detection | high | `intel.seen.indicator`, `intel.seen.indicator_type`, `intel.seen.where` | **intel** |
+| SSH session / client behavior inferred | connection | high | `ssh.inferences` (`PKA`, `KS`, `AUTO`, `CTS`), `ssh.hassh` | **ssh** |
+| RDP authentication attempt | authentication | high | `rdp.result` (`Success`, `SSL_NOT_ALLOWED_BY_SERVER`); `event.outcome` (`success`/`failure`) | **rdp** |
+| VPN tunnel / exfiltration inferred | connection | high | `vpn.inferences` (`RW`, `FW`, `COM`, `NSP`, `SK`), `vpn.name` | **vpn** |
+| Suricata IDS rule triggered | detection | high | `rule.name`, `rule.signature_id`, `event.severity` | **suricata_corelight** |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from dashboard evidence) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | — | Absent from all dashboard ES\|QL under `packages/corelight/` |
+| `event.dataset` | no (→ dataset label) | partial | `conn`, `dns`, `http`, `notice`, `suricata_corelight`, … | partial | Log-type discriminator used in every dashboard filter; coarse action proxy |
+| `notice.note` | no | n/a | `SSL::Certificate_Expired`, `ATTACK::*`, `MeterpreterDetection::Meterpreter_Detected` | yes | Notices dashboard ES\|QL (`corelight-f7da14f0-*.json`, `corelight-7c0946bc-*.json`) |
+| `notice.message` | no | n/a | Human-readable notice text | partial (alternate) | Notices dashboard control (`corelight-f7da14f0-*.json`) |
+| `rule.name` | no | n/a | Suricata signature name (CVE-filtered in dashboard) | yes | Suricata IDS Alert Overview ES\|QL (`corelight-f1208ffe-*.json`) |
+| `rule.signature_id` | no | n/a | Suricata SID | partial (alternate) | Same dashboard; less human-readable than `rule.name` |
+| `http.request.method` | no | n/a | `GET`, `POST`, … | yes | HTTP dashboard + IP Interrogation ES\|QL (`corelight-8c5f15f7-*.json`, `corelight-3a4a279f-*.json`) |
+| `dns.question.type` | no | n/a | `A`, `PTR`, `AXFR`, `IXFR`, `ANY`, `TXT` | yes | DNS / Name Resolution dashboards (`corelight-58885f47-*.json`, `corelight-8546a96c-*.json`) |
+| `dns.response_code` | no | n/a | `NXDOMAIN`, … | partial | DNS dashboard NXDOMAIN panels (`corelight-8546a96c-*.json`) |
+| `rdp.result` | no | n/a | `Success`, `SSL_NOT_ALLOWED_BY_SERVER` | yes | RDP Inferences dashboards (`corelight-f4864774-*.json`, `corelight-2d4dc345-*.json`) |
+| `ssh.inferences` | no | n/a | `PKA`, `KS`, `AUTO`, `CTS` | yes | SSH Inferences Overview ES\|QL (`corelight-45197477-*.json`) |
+| `vpn.inferences` | no | n/a | `RW`, `FW`, `COM`, `NSP`, `SK` | yes | VPN Insights ES\|QL (`corelight-023162b6-*.json`) |
+| `intel.seen.indicator` | no | n/a | Matched IOC value | partial | Intel dashboard table (`corelight-323b0f27-*.json`) |
+| `network.protocol` | no | n/a | `dns`, `ssl`, `ssh`, … | partial | Connections / protocol dashboards; coarse protocol observation |
+| `event.type` | no (classification field) | partial | — | no (keep as type) | Referenced on Intel dashboard (`corelight-323b0f27-*.json`); not a verb substitute for `event.action` |
+| `event.outcome` | no (outcome, not action) | partial | `success`, `failure` | no | RDP auth outcome (`corelight-f4864774-*.json`); complements but does not replace action |
+| `event.severity` | no | n/a | Suricata alert severity | partial | Suricata dashboard ES\|QL (`corelight-f1208ffe-*.json`); severity, not operation name |
+
+**Mapping note:** "Mapped today?" reflects fields present in indexed `logs-corelight-*` data per dashboard ES\|QL. Ingest pipelines live in [Corelight ECS templates](https://github.com/corelight/ecs-templates) / [ecs-mapping](https://github.com/corelight/ecs-mapping), not in this integration package — pipeline source → ECS steps and `event.action` population cannot be verified from repo evidence. Corelight's external mapping spreadsheet documents `event.category`, `event.kind`, and related ECS typing per log type.
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Flow / protocol initiator | host | — | high | `source.ip`, `source.port`; Connections dashboard filters `event.dataset: conn` and charts `source.ip`/`destination.ip` (`corelight-eff0434c-*.json`); DNS dashboard aggregates by `source.ip` as originator (`corelight-58885f47-*.json`) | Default for conn, dns, http, tls, ftp, smb |
+| Outbound vs inbound orientation | host | — | medium | `conn.local_orig: true` / `conn.local_resp: false` on outbound flows; Connections dashboard "Top Outbound/Inbound Data Flows by Originator" (`corelight-eff0434c-*.json`) | conn only |
+| Suricata IDS alert source | host | — | high | `source.ip`; Origin Summary ES\|QL groups hits by `source.ip` (`corelight-f1208ffe-*.json`); Security Posture counts unique source IPs on `suricata_corelight` (`corelight-7c0946bc-*.json`) | suricata_corelight |
+| Zeek notice subject | host | — | high | `source.ip`; Notices dashboard filter on `source.ip`; ES\|QL on `notice.note`/`notice.message` (`corelight-f7da14f0-*.json`, `corelight-7c0946bc-*.json`) | notice |
+| Threat intel observed host | host | — | high | `source.ip`; Intel dashboard ES\|QL stats by `source.ip`, `destination.ip`, `intel.seen.indicator` (`corelight-323b0f27-*.json`) | intel |
+| SSH client / initiator | host | — | high | `source.ip`; SSH Inferences Overview ES\|QL groups by `source.ip`, `destination.ip`, `ssh.inferences` (PKA, KS, AUTO, CTS) (`corelight-45197477-*.json`, `corelight-65a5fa91-*.json`) | ssh |
+| RDP client | host | — | high | `source.ip`; RDP Inferences Overview filters `rdp.result`, charts auth by endpoint pair (`corelight-2d4dc345-*.json`, `corelight-f4864774-*.json`) | rdp |
+| VPN client / initiator | host | — | high | `source.ip`; VPN Insights ES\|QL groups by `source.ip`, `vpn.inferences` (RW, FW, COM, NSP, SK) (`corelight-023162b6-*.json`, `corelight-f4864774-*.json`) | vpn |
+| File transfer originator | host | — | high | `files.tx_hosts` (Zeek tx_host); Files dashboard "Top Transmitting (tx_host) Hosts" (`corelight-0cfc8a95-*.json`); session endpoints also in `source.ip` | files |
+| Software inventory host | host | — | high | `host_header` (Zeek host); Software dashboard control on `host_header` with `software.name`/`software.type` (`corelight-40bbc19b-*.json`) | software |
+| AWS VPC flow originator | host | — | medium | `source.ip` plus `orig_inst.id`/`orig_inst.name`/`orig_inst.vpc_id`; AWS VPC Flow dashboard filters `capture_source: vpcflow` (`corelight-caf92ff9-*.json`) | conn (vpcflow) |
+| HTTP client software | general | client_software | low | `user_agent.original` reflects client application, not authenticated user; HTTP dashboard ES\|QL on `user_agent.original` (`corelight-8c5f15f7-*.json`) | http |
+| Corelight sensor | — | — | high | Not the actor — every dashboard filters `observer.vendor: Corelight` and scopes by `observer.hostname` | All streams |
+
+No **user** actor is populated in dashboard field usage; `user.name` / `user.id` / `user.email` are absent from all bundled dashboards and ES\|QL. `rdp.cookie` is labeled "Connecting User" in RDP dashboard ES\|QL (`corelight-2d4dc345-*.json`) but is an RDP session cookie, not an ECS user identity.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.ip` | Flow/alert origin host | yes (external ECS templates) | yes | high | Used in all dashboards; Connections, DNS, Suricata, Intel, SSH, RDP, VPN ES\|QL |
+| `source.port` | Flow origin port | yes (external) | yes | high | Connections dashboard controls (`corelight-eff0434c-*.json`) |
+| `source.bytes` | Flow volume (origin side) | yes (external) | yes | high | Connections outbound panels; VPN Insights byte charts (`corelight-023162b6-*.json`) |
+| `source.geo.country_iso_code` | Enriched origin | yes (external) | yes | medium | Connections inbound panels (`corelight-eff0434c-*.json`) |
+| `conn.local_orig` / `conn.local_resp` | Internal originator/responder orientation | yes (external) | yes | high | Connections outbound/inbound panels; Name Resolution Insights conn ES\|QL (`corelight-eff0434c-*.json`, `corelight-8546a96c-*.json`) |
+| `files.tx_hosts` | File transmitter (Zeek tx_host) | yes (external) | yes | high | Files dashboard "Top Transmitting (tx_host) Hosts" (`corelight-0cfc8a95-*.json`) |
+| `host_header` | Software-inventory host | yes (external) | yes | high | Software dashboard host control (`corelight-40bbc19b-*.json`) |
+| `orig_inst.id` / `orig_inst.name` / `orig_inst.vpc_id` | Cloud-side flow originator | yes (external) | yes | medium | AWS VPC Flow cloud-enrichment ES\|QL (`corelight-caf92ff9-*.json`) |
+| `ssh.inferences` | SSH client behavior hint | yes (external) | n/a | high | SSH Inferences Overview ES\|QL (`corelight-45197477-*.json`) |
+| `rdp.cookie` | RDP session identifier | yes (external) | partial | medium | Labeled "Connecting User" in dashboard but is session cookie, not `user.*` (`corelight-2d4dc345-*.json`) |
+| `rdp.result` / `event.outcome` | RDP auth outcome | yes (external) | yes | high | RDP Inferences / Remote Activity dashboards (`corelight-f4864774-*.json`) |
+| `vpn.inferences` / `vpn.name` | VPN client behavior / type | yes (external) | n/a | high | VPN Insights dashboard (`corelight-023162b6-*.json`) |
+| `user_agent.original` | HTTP client software | yes (external) | partial | medium | Client software string, not security principal (`corelight-8c5f15f7-*.json`) |
+| `observer.hostname` / `observer.vendor` | Sensor identity | yes (external) | n/a | high | Scope filter on all dashboards; not traffic actor |
+| `suricata.alert.metadata_original` | Suricata alert metadata | yes (external) | n/a | medium | CVE filter on Suricata dashboard (`corelight-f1208ffe-*.json`) |
+
+**Mapping note:** "Mapped today?" reflects fields present in indexed `logs-corelight-*` data per dashboard ES\|QL. Ingest pipelines live in [Corelight ECS templates](https://github.com/corelight/ecs-templates), not in this integration package — pipeline source → ECS steps cannot be verified from repo evidence.
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Network protocol / service | Application protocol or well-known service on destination port | DNS, HTTP, TLS, SSH, RDP, … | service | — | high | `network.protocol`, `network.transport`, `destination.port` — DNS `:53`, HTTP `:80`, TLS `:443`; Notices dashboard ES\|QL on `network.transport`/`destination.port` (`corelight-f7da14f0-*.json`) | All protocol and alert events |
+| 2 — Host / endpoint | IP peer receiving or serving traffic | Internal server, external host, resolver | host | — | high | `destination.ip`, `destination.port`; Connections charts `destination.geo.country_iso_code` (`corelight-eff0434c-*.json`); Suricata Security Posture "Unique Dest. IPs" (`corelight-7c0946bc-*.json`) | Default for conn, dns, http, alerts |
+| 2 — Cloud instance (VPC flow) | EC2/instance peer on enriched conn | Cloud VM / ENI | host | — | medium | `destination.ip` plus `resp_inst.id`/`resp_inst.name`/`resp_inst.vpc_id` (`corelight-caf92ff9-*.json`) | conn (vpcflow) |
+| 2 — File receiver | Host receiving transferred file | Internal/external host | host | — | high | `files.rx_hosts` (Zeek rx_host); Files dashboard "Top Receiving (rx_host) Hosts" (`corelight-0cfc8a95-*.json`) | files |
+| 3 — Named resource / content | Domain, URL, file, certificate, IOC | FQDN, HTTP path, file hash, x509 DN | general | domain, url, file, certificate, indicator | high | `dns.question.name`, `dest_host`, `url.path`, `file.name`/`file.mime_type`, `tls.server.subject`, `intel.seen.indicator` — DNS (`corelight-58885f47-*.json`), HTTP (`corelight-8c5f15f7-*.json`), Files (`corelight-0cfc8a95-*.json`), Intel (`corelight-323b0f27-*.json`) | Per log type |
+| 3 — Detection rule / notice | Triggered signature or Zeek notice | Suricata rule, Zeek notice class | general | ids_rule, notice | high | `rule.signature_id`, `rule.name`, `event.severity` (`corelight-f1208ffe-*.json`); `notice.note` e.g. `ATTACK::*`, `SSL::Certificate_Expired`, `MeterpreterDetection::Meterpreter_Detected` (`corelight-7c0946bc-*.json`) | suricata_corelight, notice |
+| 3 — Session correlation | Cross-log pivot keys | Zeek uid, community_id, file uid | general | session_id | high | `event.id`, `network.community_id`, `log.id.fuid` — Log Hunting dashboard controls (`corelight-ff07e65c-*.json`) | conn, files, http |
+
+Software inventory (`software.name`, `software.type`, `software.version.*`) is a Layer 3 artifact detected **on** the Layer 2 host (`host_header`), not a separate endpoint.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `destination.ip` | 2 | host | yes (external) | yes | context-only (network peer) | yes → `host.target.ip` | All dashboards; Suricata, Intel, SSH, RDP ES\|QL |
+| `destination.port` | 1/2 | service/host | yes (external) | yes | context-only | partial → `host.target.port` | Connections, DNS, Notices, Intel dashboards |
+| `destination.domain` | 3 | general | yes (external) | yes | context-only | partial → `entity.target.name` | TLS/SSL dashboards (`corelight-e4a93cfe-*.json`, `corelight-45197477-*.json`) |
+| `destination.geo.country_iso_code` | 2 | host | yes (external) | yes | context-only | no | Connections outbound/inbound panels (`corelight-eff0434c-*.json`) |
+| `destination.bytes` | 2 | host | yes (external) | yes | context-only | no | AWS VPC Flow dashboard (`corelight-caf92ff9-*.json`) |
+| `network.protocol` / `network.transport` | 1 | service | yes (external) | yes | context-only | partial → `service.target.name` | Connections, Notices ES\|QL |
+| `dns.question.name` / `dns.question.type` | 3 | general | yes (external) | yes | context-only | partial | DNS / Name Resolution dashboards (`corelight-58885f47-*.json`, `corelight-8546a96c-*.json`) |
+| `dest_host` | 3 | general | yes (external) | yes | context-only | partial → `entity.target.name` | HTTP Host header; HTTP dashboard ES\|QL (`corelight-8c5f15f7-*.json`) |
+| `url.path` / `http.request.method` | 3 | general | yes (external) | yes | context-only | partial | IP Interrogation / Log Hunting HTTP ES\|QL (`corelight-3a4a279f-*.json`) |
+| `tls.server.subject` / `tls.cipher` / `ssl.validation_status` | 3 | general | yes (external) | yes | context-only | partial | SSL and x509 / Secure Channel Insights (`corelight-e4a93cfe-*.json`, `corelight-45197477-*.json`) |
+| `file.name` / `file.mime_type` / `file.hash.sha256` | 3 | general | yes (external) | yes | context-only | partial | Files dashboard; x509 expiring-certs ES\|QL (`corelight-0cfc8a95-*.json`, `corelight-7c0946bc-*.json`) |
+| `file.x509.subject.distinguished_name` | 3 | general | yes (external) | yes | context-only | partial | SSL and x509 dashboard (`corelight-e4a93cfe-*.json`) |
+| `files.rx_hosts` | 2 | host | yes (external) | yes | context-only | yes → `host.target.hostname` | Files dashboard receiver panels (`corelight-0cfc8a95-*.json`) |
+| `intel.seen.indicator` / `.indicator_type` / `.where` | 3 | general | yes (external) | yes | context-only | partial → `entity.target.id` | Intel dashboard table and Security Posture (`corelight-323b0f27-*.json`, `corelight-7c0946bc-*.json`) |
+| `rule.signature_id` / `rule.name` / `rule.category` / `event.severity` | 3 | general | yes (external) | yes | context-only | no | Suricata IDS Alert Overview (`corelight-f1208ffe-*.json`) |
+| `notice.note` / `notice.message` | 3 | general | yes (external) | yes | context-only | partial | Notices / Security Posture dashboards (`corelight-f7da14f0-*.json`, `corelight-7c0946bc-*.json`) |
+| `resp_inst.id` / `resp_inst.name` / `resp_inst.vpc_id` | 2 | host | yes (external) | yes | context-only | partial → `host.target.id` | AWS VPC Flow cloud-enrichment ES\|QL (`corelight-caf92ff9-*.json`) |
+| `software.name` / `software.type` / `software.version.*` | 3 | general | yes (external) | yes | context-only | partial | Software dashboard (`corelight-40bbc19b-*.json`) |
+| `network.community_id` / `event.id` / `log.id.fuid` | 3 | general | yes (external) | yes | context-only | no | Log Hunting correlation controls (`corelight-ff07e65c-*.json`) |
+| `rdp.auth_successful` / `rdp.result` | 2/3 | host / general | yes (external) | yes | context-only | no | Remote Activity Insights RDP panels (`corelight-f4864774-*.json`) |
+
+### Gaps and mapping notes
+
+- **No ECS `*.target.*` fields** — endpoint peers live under `destination.*` and Zeek-specific `files.tx_hosts`/`files.rx_hosts` as network context; `target_enhancement_packages.csv` classifies corelight as **none** (no package pipeline evidence for Tier-A migration).
+- **`destination.*` is network context, not de-facto user/host audit target** — unlike firewall auth or email logs, Corelight never maps login-target or recipient identity to `destination.user.*`; all destination fields are flow 5-tuple peers or service ports.
+- **Dashboard-only evidence ceiling** — ingest mapping is maintained in [Corelight ECS templates](https://github.com/corelight/ecs-templates) / [ecs-mapping](https://github.com/corelight/ecs-mapping); this repo cannot trace pipeline source → ECS field steps or validate fixtures.
+- **`event.action` gaps** — `event.action` is absent from all dashboard ES\|QL; strongest action candidates are **`notice.note`** (Zeek notice class on **notice**), **`rule.name`** (Suricata signature on **suricata_corelight**), **`http.request.method`** (**http**), **`dns.question.type`** (**dns**), **`rdp.result`** (**rdp**), and **`ssh.inferences`/`vpn.inferences`** (remote-access streams). Recommended primary mapping: `event.action` ← `notice.note` on notices; `event.action` ← `rule.name` on Suricata alerts; `event.action` ← `http.request.method` on HTTP; protocol streams could use normalized `event.dataset` or `network.protocol` as coarse fallback until vendor-specific verbs are mapped.
+- **`event.type` / `event.outcome` vs `event.action`** — RDP dashboards use `event.outcome` for auth success/failure and Intel dashboard references `event.type`; these are outcome/classification fields, not operation verbs per ECS Event field-set.
+- **`rdp.cookie` vs `user.*`** — RDP dashboard labels `rdp.cookie` as "Connecting User" but it is a session cookie, not an authenticated principal; do not map to `user.name`/`user.id`.
+- **`user_agent.original` vs `user.*`** — HTTP User-Agent strings populate client software correctly; must not be interpreted as user actor.
+- **`ssh.inferences: AUTO`** — indicates scripted/automated client behavior, not absence of a human user identity (which is never captured).
+- **`observer.*`** identifies the Corelight sensor on every dashboard; it is not the traffic actor or target.
+- **Software inventory** — `host_header` + `software.*` describe state observed on a host, not an audit event with caller/target principals.
+
+### Per-stream notes
+
+Bundled dashboards cover conn, dns, http, tls/x509, files, software, notice, intel, ssh, rdp, vpn, suricata_corelight, and vpcflow-enriched conn.
+
+- **conn** — Action: connection observed (`network.protocol`/`network.transport`). Host actor (`source.ip`) and host/service target (`destination.ip`/`destination.port`). Outbound/inbound orientation via `conn.local_orig`/`conn.local_resp`.
+- **conn** (vpcflow) — Action: VPC flow log with `capture_source: vpcflow` and `network.direction`. Cloud instance enrichment on `orig_inst.*`/`resp_inst.*`.
+- **dns** — Action: DNS query type + response code. `dns.question.name`/`dns.question.type` are primary action/detail fields.
+- **http** — Action: HTTP method + URI path. `user_agent.original` is client software, not user actor.
+- **tls** / **x509** — Action: TLS handshake / certificate validation. Layer 3 cert and cipher fields dominate.
+- **files** — Action: file transfer (`files.tx_hosts`/`files.rx_hosts`). Layer 3 file hash/MIME metadata.
+- **software** — No per-event action; inventory sync semantics — host + detected package snapshot.
+- **notice** — Action: Zeek notice class (`notice.note`). Primary security "what happened" alongside Suricata alerts.
+- **intel** — Action: threat-intel indicator match (`intel.seen.*`). Targets matched IOCs rather than endpoints alone.
+- **ssh** / **rdp** / **vpn** — Action: remote-access session + Corelight inference tags. RDP adds auth outcome via `rdp.result`/`event.outcome`.
+- **suricata_corelight** — Action: IDS signature rule triggered (`rule.name`, `rule.signature_id`, `event.severity`). Layer 3 detection metadata.
+
+Log Hunting / IP Interrogation dashboards pivot across streams via `event.id`, `network.community_id`, and `log.id.fuid`.
+
+## Example Event Graph (illustrative — no package fixtures)
+
+**Package type: assets-only** — `packages/corelight/manifest.yml` has no `policy_templates:` and no `data_stream/` directory; this repo ships **Kibana dashboards and saved searches only**. Corelight sensors export Zeek/Suricata telemetry to customer `logs-corelight-*` indices via [Corelight ECS templates](https://github.com/corelight/ecs-templates) (outside this package). Patterns below are **field/schema illustrations** from bundled dashboard ES|QL and filter literals — **not** single indexed documents. Do not treat dashboard JSON as sample events.
+
+`event.action` is absent from all dashboard ES|QL under `packages/corelight/`; action labels below come from vendor fields or filter literals only.
+
+### Pattern 1: Zeek TLS certificate notice
+
+**Log type:** `notice` · **Evidence:** `packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json` (Tier B — filter literal `SSL::Certificate_Expired`); `packages/corelight/kibana/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618.json` (Tier B — ES|QL on `notice.note`, `source.ip`, `destination.ip`, `network.transport`, `destination.port`)
+
+```
+host (source.ip) → SSL::Certificate_Expired (notice.note) → tls service (destination.ip, network.transport, destination.port)
+```
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — from `source.ip` in Notices dashboard ES|QL |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | derived label from Zeek notice class |
+| source_field | `notice.note` |
+| source_value | `SSL::Certificate_Expired` (Security Posture dashboard filter literal) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | service — responder inferred from `destination.ip`, `network.transport`, `destination.port` (Notices ES|QL concatenates transport/port) |
+
+### Pattern 2: DNS NXDOMAIN response
+
+**Log type:** `dns` · **Evidence:** `packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json` (Tier B — `dns.response_code == "NXDOMAIN"`, `source.ip`, `destination.ip`, `dns.question.name`); `packages/corelight/kibana/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17.json` (Tier B — DNS dashboard NXDOMAIN panel)
+
+```
+host (source.ip) → NXDOMAIN (dns.response_code) → domain (dns.question.name, destination.domain)
+```
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — from `source.ip` in Name Resolution Insights ES|QL |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | derived label from DNS response code |
+| source_field | `dns.response_code` |
+| source_value | `NXDOMAIN` (dashboard ES|QL filter literal) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | general — queried name from `dns.question.name`; `destination.domain` also referenced in DNS dashboard ES|QL |
+
+### Pattern 3: Suricata IDS signature triggered
+
+**Log type:** `suricata_corelight` · **Evidence:** `packages/corelight/kibana/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb.json` (Tier B — ES|QL on `source.ip`, `rule.name`, `rule.signature_id`, `event.severity`)
+
+```
+host (source.ip) → IDS signature triggered (rule.name) → ids rule (rule.name, rule.signature_id)
+```
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — from `source.ip` in Suricata IDS Alert Overview ES|QL |
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | derived label — signature triggered |
+| source_field | `rule.name` |
+| source_value | — (per-event signature name not hard-coded in dashboard asset) |
+
+#### Target (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | general — detection object from `rule.name`, `rule.signature_id` |
+
+## ES|QL Entity Extraction
+
+**Package type: assets-only (Tier B).** Field paths inferred from bundled dashboard ES|QL only; this package defines no ingest pipelines or test fixtures in-repo. `manifest.yml` has no `policy_templates:` and no `data_stream/` — do **not** route on `data_stream.dataset` from this integration (some VPC panels reference `data_stream.dataset == "corelight.conn"` in customer indices; that value is **not** defined by this package). Primary router: **`event.dataset`** (Zeek log type), as in dashboard filters (`event.dataset == "conn"`, `"dns"`, `"notice"`, etc.). Scope with `FROM logs-corelight-*` and optionally `observer.vendor == "Corelight"`. NSM telemetry: actor is **host** (`source.ip`); targets are **host** / **service** / **general** by stream. Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`), not `CASE(actor_exists, <col>, …)` / `CASE(action_exists, event.action, …)` — so HTTP `entity.name` or a populated `entity.target.name` does not block `host.ip` ← `source.ip` or `host.target.ip` ← `destination.ip` (§10 — no identity no-op). Confidence **medium** or **low** (Tier B, not package-fixture verified).
+
+### Dataset inventory
+
+| `event.dataset` (router) | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `conn`, `ssh`, `rdp`, `vpn` | connection / remote access | host | host, service | partial |
+| `conn` + `capture_source == "vpcflow"` | VPC flow enrichment | host | host (cloud instance) | partial |
+| `dns` | DNS query/response | host | general (domain) | partial |
+| `http` | HTTP request | host, general (client software) | general (url/domain) | partial |
+| `tls`, `x509` | TLS/cert observation | host | service, host | partial |
+| `files` | file transfer | host | host, general (file) | partial |
+| `notice`, `intel`, `suricata_corelight` | detection | host | service, general | partial |
+| `software` | inventory sync | — | — | none |
+
+### Field mapping plan
+
+**Detection predicate (tuned):** `actor_exists` omits `user.*` — no user principal in dashboard ES|QL. `target_exists` uses standard `*.target.*` columns per Pass 4 v2. **Mapped columns use column-level preserve** (`<col> IS NOT NULL`), not `CASE(actor_exists, <col>, …)` — HTTP `entity.name` can satisfy `actor_exists` while `host.ip` is still empty.
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.ip` | `source.ip` | `event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight", "files") AND source.ip IS NOT NULL` | medium | **column-level preserve** (`host.ip IS NOT NULL`); **fallback** `source.ip` — de-facto flow originator (Tier B) |
+| `entity.name` | `user_agent.original` | `event.dataset == "http" AND user_agent.original IS NOT NULL` | low | **column-level preserve** (`entity.name IS NOT NULL`); **fallback** client software — not `user.name` |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.ip` | `destination.ip` | `event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight") AND destination.ip IS NOT NULL` | medium | **column-level preserve**; **fallback** de-facto network peer |
+| `host.target.id` | `resp_inst.id` | `event.dataset == "conn" AND capture_source == "vpcflow" AND resp_inst.id IS NOT NULL` | medium | **column-level preserve**; **fallback** AWS VPC Flow dashboard (`corelight-caf92ff9-*.json`) |
+| `host.target.name` | `files.rx_hosts` | `event.dataset == "files" AND files.rx_hosts IS NOT NULL` | medium | **column-level preserve**; **fallback** Zeek rx_host (Files dashboard) |
+| `service.target.name` | `network.protocol` | `event.dataset IN ("conn", "notice", "tls", "rdp") AND network.protocol IS NOT NULL` | medium | **column-level preserve**; **fallback** protocol/service layer |
+| `entity.target.name` | `dns.question.name` | `event.dataset == "dns" AND dns.question.name IS NOT NULL` | medium | **column-level preserve**; **fallback** queried FQDN |
+| `entity.target.name` | `dest_host` | `event.dataset == "http" AND dest_host IS NOT NULL` | medium | **column-level preserve**; **fallback** HTTP Host header |
+| `entity.target.name` | `intel.seen.indicator` | `event.dataset == "intel" AND intel.seen.indicator IS NOT NULL` | medium | **column-level preserve**; **fallback** matched IOC |
+| `entity.target.name` | `rule.name` | `event.dataset == "suricata_corelight" AND rule.name IS NOT NULL` | medium | **column-level preserve**; **fallback** Suricata signature |
+| `entity.target.name` | `notice.note` | `event.dataset == "notice" AND notice.note IS NOT NULL` | medium | **column-level preserve**; **fallback** Zeek notice class |
+| `entity.target.type` | literals | per `event.dataset` (dns/http/intel/suricata/notice) | low | **column-level preserve**; **semantic literal** in fallback only |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `notice.note` | `event.dataset == "notice" AND notice.note IS NOT NULL` | medium | **column-level preserve** (`event.action IS NOT NULL`); **fallback** — `event.action` absent from dashboards |
+| `event.action` | `rule.name` | `event.dataset == "suricata_corelight" AND rule.name IS NOT NULL` | medium | **column-level preserve**; **fallback** |
+| `event.action` | `http.request.method` | `event.dataset == "http" AND http.request.method IS NOT NULL` | medium | **column-level preserve**; **fallback** |
+| `event.action` | `dns.question.type` | `event.dataset == "dns" AND dns.question.type IS NOT NULL` | medium | **column-level preserve**; **fallback** (coarse; `dns.response_code` alternate) |
+| `event.action` | `rdp.result` | `event.dataset == "rdp" AND rdp.result IS NOT NULL` | medium | **column-level preserve**; **fallback** |
+| `event.action` | `ssh.inferences` | `event.dataset == "ssh" AND ssh.inferences IS NOT NULL` | medium | **column-level preserve**; **fallback** |
+| `event.action` | `vpn.inferences` | `event.dataset == "vpn" AND vpn.inferences IS NOT NULL` | medium | **column-level preserve**; **fallback** |
+
+### Detection flags (mandatory — run first)
+
+Network-only integration: `actor_exists` excludes `user.*` (no authenticated principal in dashboard field usage). **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(action_exists, event.action, …)` — so one populated sibling column does not block fallbacks on empty columns (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers
+
+`entity.target.type` literals apply only when `entity.target.type` is null (fallback branch in target `EVAL` below).
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight", "files") AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    event.dataset == "http" AND user_agent.original IS NOT NULL, user_agent.original,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    event.dataset == "notice" AND notice.note IS NOT NULL, notice.note,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL, rule.name,
+    event.dataset == "http" AND http.request.method IS NOT NULL, http.request.method,
+    event.dataset == "dns" AND dns.question.type IS NOT NULL, dns.question.type,
+    event.dataset == "rdp" AND rdp.result IS NOT NULL, rdp.result,
+    event.dataset == "ssh" AND ssh.inferences IS NOT NULL, ssh.inferences,
+    event.dataset == "vpn" AND vpn.inferences IS NOT NULL, vpn.inferences,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+Uses `user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` only — never `target.user.*` or `target.entity.type`.
+
+```esql
+| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    event.dataset == "conn" AND capture_source == "vpcflow" AND resp_inst.id IS NOT NULL, resp_inst.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    event.dataset == "files" AND files.rx_hosts IS NOT NULL, files.rx_hosts,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    event.dataset IN ("conn", "notice", "tls", "rdp") AND network.protocol IS NOT NULL, network.protocol,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    event.dataset == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    event.dataset == "http" AND dest_host IS NOT NULL, dest_host,
+    event.dataset == "intel" AND intel.seen.indicator IS NOT NULL, intel.seen.indicator,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL, rule.name,
+    event.dataset == "notice" AND notice.note IS NOT NULL, notice.note,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    event.dataset == "dns", "domain",
+    event.dataset == "http", "url",
+    event.dataset == "intel", "indicator",
+    event.dataset == "suricata_corelight", "ids_rule",
+    event.dataset == "notice", "notice",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-corelight-*
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight", "files") AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    event.dataset == "http" AND user_agent.original IS NOT NULL, user_agent.original,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    event.dataset == "notice" AND notice.note IS NOT NULL, notice.note,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL, rule.name,
+    event.dataset == "http" AND http.request.method IS NOT NULL, http.request.method,
+    event.dataset == "dns" AND dns.question.type IS NOT NULL, dns.question.type,
+    event.dataset == "rdp" AND rdp.result IS NOT NULL, rdp.result,
+    event.dataset == "ssh" AND ssh.inferences IS NOT NULL, ssh.inferences,
+    event.dataset == "vpn" AND vpn.inferences IS NOT NULL, vpn.inferences,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    event.dataset IN ("conn", "dns", "http", "tls", "x509", "notice", "intel", "ssh", "rdp", "vpn", "suricata_corelight") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    event.dataset == "conn" AND capture_source == "vpcflow" AND resp_inst.id IS NOT NULL, resp_inst.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    event.dataset == "files" AND files.rx_hosts IS NOT NULL, files.rx_hosts,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    event.dataset IN ("conn", "notice", "tls", "rdp") AND network.protocol IS NOT NULL, network.protocol,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    event.dataset == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    event.dataset == "http" AND dest_host IS NOT NULL, dest_host,
+    event.dataset == "intel" AND intel.seen.indicator IS NOT NULL, intel.seen.indicator,
+    event.dataset == "suricata_corelight" AND rule.name IS NOT NULL, rule.name,
+    event.dataset == "notice" AND notice.note IS NOT NULL, notice.note,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    event.dataset == "dns", "domain",
+    event.dataset == "http", "url",
+    event.dataset == "intel", "indicator",
+    event.dataset == "suricata_corelight", "ids_rule",
+    event.dataset == "notice", "notice",
+    null
+  )
+| KEEP @timestamp, event.dataset, event.action, source.ip, destination.ip, host.ip, host.target.ip, host.target.id, host.target.name, service.target.name, entity.target.name, entity.target.type, entity.name
+```
+
+### Streams excluded
+
+- **`software`** — inventory snapshot on `host_header` + `software.*`; no per-event actor/target chain (Software dashboard `corelight-40bbc19b-*.json`).
+- **Events without `source.ip` in dashboard field usage** — omit actor `host.ip` fallback rather than guess.
+
+### Gaps and limitations
+
+- **Column-level preserve (§10)** — `actor_exists` / `target_exists` / `action_exists` are query-time helpers only; mapped columns use `<col> IS NOT NULL` as the first `CASE` branch. Anti-patterns: `CASE(actor_exists, host.ip, source.ip, null)` when HTTP `entity.name` is set but `host.ip` is empty; `CASE(action_exists, event.action, notice.note, null)` (4 args — `notice.note` becomes a **condition**, not a value). Use 5-arg: `CASE(event.action IS NOT NULL, event.action, event.dataset == "notice" AND notice.note IS NOT NULL, notice.note, null)`. Never `CASE(col, col, …)` identity branches.
+- **ES|QL `CASE` arity** — arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.name IS NOT NULL, user.name, user.full_name, null)` (4 args). Right: `CASE(user.name IS NOT NULL, user.name, user.full_name)` (3 args).
+- **No `data_stream.dataset` from this package** — router uses `event.dataset` per dashboard ES|QL only; ingest mapping is external ([Corelight ECS templates](https://github.com/corelight/ecs-templates)).
+- **`user.*` / `user.target.*` omitted** — no `user.id` / `user.name` in dashboard ES|QL; `rdp.cookie` and `user_agent.original` must not map to user actor/target.
+- **`host.name` / `host.id` (actor) omitted** — no hostname or host-id fields in dashboard ES|QL for flow originator; vpcflow uses `resp_inst.id` → `host.target.id` only.
+- **`destination.*` is network context** — mapped to `host.target.*` as de-facto peer, not audit user/host target (aligned with Pass 2 **Enhancement candidate?** = none).
+- **`event.action` not indexed in dashboards** — fallback uses vendor fields; omit action `EVAL` if customer export already populates `event.action` differently.
+- **`conn` / `tls` / `x509` / `files` action** — no single dashboard verb; `network.protocol` or file hash fields omitted from action block to avoid coarse false positives.
+- **Field presence unverified** — Tier B dashboard references only; downgrade or omit mappings if indexed layout differs from customer export.
diff --git a/dev/domain/p1/cyera.md b/dev/domain/p1/cyera.md
new file mode 100644
index 00000000000..049ad31db5a
--- /dev/null
+++ b/dev/domain/p1/cyera.md
@@ -0,0 +1,496 @@
+# cyera
+
+## Product Domain
+
+Cyera is a cloud data security platform focused on Data Security Posture Management (DSPM). It discovers, classifies, monitors, and protects sensitive data across multi-cloud and SaaS environments—including AWS, Azure, GCP, Microsoft 365, Snowflake, and other data stores. Rather than treating data risk as a separate silo from cloud security, Cyera maps where sensitive data resides, how it is classified, who owns it, and what policy violations or exposure conditions put that data at risk.
+
+Core capabilities span several domains. **Data discovery and inventory** continuously finds structured and unstructured datastores (databases, object storage, SaaS drives, data warehouses) and tracks metadata such as provider, region, encryption, public accessibility, logging, and ownership. **Data classification** applies sensitivity labels and data-class taxonomy (e.g., financial, PII, PCI) with context on identifiability, tokenization, geo-location, and compliance frameworks. **Risk and issue management** surfaces prioritized findings when sensitive data is exposed, misconfigured, or stored in violation of policy—linking severity, risk status, affected records, remediation guidance, and compliance frameworks (PCI DSS, SOC 2, ISO 27001). **Activity and remediation events** record platform actions such as issue lifecycle changes, M365 sensitivity-label remediation, scan state updates, and report generation.
+
+From a security operations perspective, Cyera is a primary source of data-centric risk intelligence. Teams use it to understand data sprawl, prioritize remediation by sensitivity and record count at risk, correlate datastore posture with active issues, and track remediation workflows tied to ITSM tickets. The Elastic Cyera integration ingests these signals into Elastic Security for unified search, dashboards, and data-security posture workflows.
+
+## Data Collected (brief)
+
+The integration collects four data streams from Cyera via **CEL API** (OAuth Client ID/Client Secret):
+
+| Data stream | Description |
+|---|---|
+| **classification** (`cyera.classification`) | Data-class taxonomy—classification name, category, sensitivity level, group/level, identifiability, tokenization, geo context, compliance frameworks, and collections |
+| **datastore** (`cyera.datastore`) | Discovered data repositories—type, provider, cloud account, region, sensitivity, record counts by sensitivity, encryption/logging/public-access state, owners, scanning state, and open issue counts |
+| **issue** (`cyera.issue`) | Active data-security risks—severity, status, risk status, affected records/objects at risk, linked datastore and data classes, remediation advice, compliance frameworks, and ITSM ticket links |
+| **event** (`cyera.event`) | Platform activity events—issue lifecycle, M365 sensitivity-label remediation, classification changes, scan/report actions, affected data classes, and policy/project context |
+
+Events are normalized to ECS where applicable (cloud, user, service fields) with vendor details under `cyera.<data-stream>.*`. Elasticsearch latest transforms deduplicate classification, datastore, and issue records for current-state views in Kibana dashboards.
+
+## Expected Audit Log Entities
+
+Only **`event`** (`cyera.event`) is a true platform activity log: Cyera issue lifecycle, policy administration, scan/report actions, and M365 sensitivity-label remediation with optional user attribution. **`classification`**, **`datastore`**, and **`issue`** are inventory and risk-state snapshots (audit-adjacent for entity analytics, not per-action audit). No stream populates ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`; no `destination.user.*` / `destination.host.*` in pipelines (`destination_identity_hits.csv` has no cyera row). The target-fields audit classifies cyera as **`moderate_candidate`** with `fixture_strong=true` and no ECS target tier-A mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is absent in all streams** — no fixture or pipeline sets it. On **`event`**, the vendor operation name is preserved as `cyera.event.type` (`json.type` rename, `event/default.yml` L566–570); inventory streams have no meaningful per-event action.
+
+Evidence: `packages/cyera/data_stream/*/sample_event.json`, `*/_dev/test/pipeline/*-expected.json`, `*/elasticsearch/ingest_pipeline/default.yml`, `*/fields/fields.yml`.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `scanEvent` | data_access | high | `test-event.log-expected.json` L184; `test-event.log` L1 | **`event`** — datastore scan / classification activity with affected record counts |
+| `IssueStatusChangedToClosedEvent` | configuration_change | high | `test-event.log-expected.json` L273; `issue.resolution.value: BySystem` | **`event`** — issue lifecycle closure (system-driven in fixture) |
+| `M365SensitivityLabelRemediationFinishedEvent` | configuration_change | high | `sample_event.json` L47; `test-event.log-expected.json` L328 | **`event`** — M365 label remediation completion |
+| `DisablePolicyEvent` | configuration_change | high | `test-event.log-expected.json` L356; `user: joey.example@google.io` | **`event`** — policy disabled by portal user |
+| `CreateSensitivityLabelPolicyEvent` | configuration_change | high | `test-event.log-expected.json` L386 | **`event`** — policy creation (no user in fixture) |
+| *(no per-event action)* | — | high | `event.kind: event` on classification/datastore; static inventory fields only | **`classification`**, **`datastore`** — CEL API inventory sync, not discrete platform mutations |
+| *(no per-event action)* | — | high | `event.kind: alert`; risk-state fields (`severity`, `risk_status`) | **`issue`** — open finding snapshot, not an activity log entry |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `cyera.event.type` | no | n/a | `scanEvent`, `IssueStatusChangedToClosedEvent`, `M365SensitivityLabelRemediationFinishedEvent`, `DisablePolicyEvent`, `CreateSensitivityLabelPolicyEvent` | **yes** | `json.type` → `cyera.event.type` (`event/default.yml` L566–570); primary vendor operation name |
+| `event.action` | no | n/a | — | **yes** | Absent from all `sample_event.json`, `*-expected.json`; no pipeline `set`/`rename` to `event.action` |
+| `cyera.event.issue.resolution.value` | no | n/a | `BySystem`, `Mitigated`, `In Progress` | no | Resolution detail on lifecycle events — subordinate to `cyera.event.type`, not a standalone action |
+| `cyera.event.issue.risk_status` | no | n/a | `Mitigated`, `RemediationInProgress`, `Unmitigated` | no | Post-action state on issue events — outcome/status, not the verb |
+| `event.kind` | yes (static) | partial | `alert` (event, issue), `event` (classification, datastore) | no | Kind distinguishes alert vs inventory record, not the operation performed |
+| `event.severity` | yes (`issue` only) | n/a | numeric severity on issue snapshots | no | Risk priority on finding state — not an audit action |
+
+Per-stream `event.action` check:
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **event** | no | no | `cyera.event.type` | high | Five distinct types in `test-event.log-expected.json`; pipeline rename only |
+| **classification** | no | no | *(none — inventory sync)* | high | Taxonomy record poll; no vendor `type` field |
+| **datastore** | no | no | *(none — inventory sync)* | high | Datastore discovery poll; no vendor action field |
+| **issue** | no | no | *(none — state snapshot)* | high | Risk finding record; no platform mutation verb |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Cyera portal operator / analyst | user | — | high | `json.user` → `user.name` + `related.user` (`event/default.yml`); `test-event.log-expected.json`: `jdoe@stark-industries.com` (`scanEvent`), `joey.example@google.io` (`DisablePolicyEvent`) | **`event`** — canonical human actor when `user` present |
+| Cyera platform automation | service | — | high | No ECS `user.*` when `user` omitted; `issue.resolution.value: BySystem` (`IssueStatusChangedToClosedEvent`); `M365SensitivityLabelRemediationFinishedEvent`, `CreateSensitivityLabelPolicyEvent` fixtures | **`event`** — system-driven lifecycle, remediation, policy creation |
+| Datastore owner (inventory metadata) | user | — | high | `owner` / `datastoreOwners[].email` → `user.email`, dissect → `user.name`/`user.domain`, `user.id` from `userId` (`datastore/default.yml`); `test-datastore.log-expected.json`: `some@admin.com` | **`datastore`** — ownership contact, not actor of a platform action |
+| Issue / datastore owner (risk metadata) | user | — | high | `owner` → `user.email`/`user.name`; `datastoreOwners[].email` + `owner_type` → `user.roles`, `related.user` (`issue/default.yml`); `test-issue.log-expected.json`: owner `muskan`, roles `application-owner` | **`issue`** — accountability contact, not audit actor |
+| Cyera classification poller | service | — | high | Static `observer.vendor`/`observer.product: Cyera` (`classification/default.yml`) | **`classification`** — API inventory sync; no human principal |
+
+**No audit actor identity:** **`classification`**, **`datastore`**, **`issue`** — no acting user or service principal tied to a discrete platform mutation in those streams.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name` | Event portal user | yes (`event`) | partial | high | `json.user` copy; full email stored as `user.name` — no dissect to `user.email`/`user.domain` on event stream |
+| `related.user` | Event actor enrichment | yes (`event`) | partial | high | Appends `cyera.event.user`; mixes actor email with no actor/target distinction |
+| `cyera.event.user` | Vendor event actor | yes (removed unless `preserve_duplicate_custom_fields`) | n/a | high | Canonical vendor actor; stripped by default `remove_custom_duplicate_fields` step |
+| `user.email` / `user.name` / `user.domain` | Datastore owner | yes (`datastore`) | no (not actor) | high | `json.owner` dissect; ownership metadata, not audit actor |
+| `user.id` | Platform user id on datastore | yes (`datastore`) | no (not actor) | high | `json.userId` → `cyera.datastore.user.id` → `user.id`; fixture UUID |
+| `user.email` / `user.name` / `user.roles` | Issue owner + datastore owners | yes (`issue`) | no (not actor) | high | `owner` dissect; `datastoreOwners[].owner_type` → `user.roles`; `related.user` holds owner UIDs and emails |
+| `user.roles` | Classification data-subject role context | yes (`classification`) | no (not actor) | medium | `json.context.role` → `cyera.classification.context.role` → `user.roles`; taxonomy metadata |
+| `observer.vendor` / `observer.product` | Cyera scanner identity | yes (`classification`) | yes (context) | high | Static `Cyera` |
+| `cloud.account.id` / `cloud.account.name` | Cloud tenancy scope | yes (event, datastore, issue) | yes (scope) | high | Account fields — scope context, not actors |
+| `service.name` | Datastore display name | yes (`datastore`) | no | medium | `json.name` → `service.name` — inventory label, not invoking service |
+
+No `source.ip`, `client.user.*`, or `user.id` on the **event** stream.
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Invoked cloud datastore or SaaS platform | Azure SQL, OneDrive, aws-rds-instance | service | — | high | `datastore.infrastructure` / `issue.infrastructure` → `cloud.service.name`; fixtures: `Azure SQL`, `OneDrive`, `aws-rds-instance` | **`event`**, **`datastore`**, **`issue`** |
+| 2 — Resource / object | Datastore, issue, policy, classification, cloud account, project | stark-db-prod, mock-issue-uid-001, sensitivity policy | general | datastore, issue, policy, data_class, cloud_account, project | high | `cyera.event.datastore.*`, `cyera.event.issue.*`, `cyera.event.policy.*`, `cyera.issue.*`, `cyera.datastore.*` | Type varies by `cyera.event.type` and stream |
+| 3 — Content / artifact | Report delivery, ITSM ticket, M365 label run, affected record counts | Daily Sensitive Data Report, AZ-INC-45321, label assignment counts | general | report, itsm_ticket, m365_remediation, data_class_records | high | `cyera.event.report.*`, `recipients[]`, `vendor.ticket_id`, `affected.data_class_appearances[]`, M365 assignment counters | **`event`** scan/remediation events |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `cloud.service.name` | 1 | service | yes (event, datastore, issue) | yes | `service.target.name` | yes | `infrastructure` copy; `Azure SQL`, `OneDrive`, `aws-rds-instance` in fixtures |
+| `cloud.provider` | 1 | service | yes | yes (scope) | context-only | no | `cloudProvider` / `provider` lowercase copy |
+| `cloud.account.id` / `cloud.account.name` | 2 | general | yes | yes (scope) | context-only | no | Event account + datastore/issue `inPlatformIdentifier` |
+| `cloud.region` | 2 | general | yes (datastore, issue) | yes (scope) | context-only | no | `regions[]` append |
+| `cyera.event.datastore.*` | 2 | general | yes (vendor) | n/a | `entity.target.*` | yes | `name`/`uid`/`vpc_id`/`arn` context; `stark-db-prod` / `ds-12345` in scanEvent fixture |
+| `cyera.event.issue.*` / `issue_uid` / `issues[]` | 2 | general | yes (vendor) | n/a | `entity.target.*` | yes | Issue lifecycle targets; `mock-issue-uid-001`, `mock-issue-uid-002` |
+| `cyera.event.policy.*` | 2 | general | yes (vendor) | n/a | `entity.target.*` | yes | `DisablePolicyEvent`, embedded issue/scan policy context |
+| `cyera.event.affected.data_class_appearances[]` | 2–3 | general | yes (vendor) | n/a | `entity.target.*` | yes | Classification UIDs + record counts at risk |
+| `cyera.event.target_classifications[]` / `target_sensitivity.*` | 2 | general | yes (vendor) | n/a | `entity.target.*` | yes | Vendor "target" naming — destination sensitivity taxonomy, not ECS target fields |
+| `cyera.event.project.*` | 2 | general | yes (vendor) | n/a | context-only | no | `Finance Data Governance` / `proj-1122` |
+| `related.hosts` | 2 | host | yes (`event`) | partial | `host.target.name` | yes | `domain_name` append only — M365 tenant domain (`stark-industries.com`), not FQDN host |
+| `cyera.event.report.*` / `recipients[]` | 3 | general | yes (vendor) | n/a | context-only | no | Scheduled report artifact + delivery recipients |
+| `cyera.event.vendor.ticket_id` / `vendor.link` | 3 | general | yes (vendor) | n/a | context-only | no | ITSM correlation (`AZ-INC-45321`) |
+| `cyera.datastore.*` (`uid`, `arn`, `name`, `type`) | 2 | general | yes (vendor) | n/a | `entity.target.*` | yes | Inventory subject; `event.kind: event` |
+| `cyera.issue.*` (`uid`, `datastore_uid`, `datastore_name`) | 2 | general | yes (vendor) | n/a | `entity.target.*` | yes | Risk finding + linked datastore |
+| `cyera.classification.*` | 2 | general | yes (vendor) | n/a | `entity.target.*` | yes | Data-class taxonomy record |
+| `service.name` | 2 | general | yes (`datastore`) | **no** | context-only | no | Copies datastore `name` — semantically inventory object, not cloud service |
+| `user.email` / `user.name` (datastore/issue owners) | 2 | user | yes | **no** | `user.target.*` | yes | Owner emails on inventory/issue records — accountability targets, not actors |
+
+### Gaps and mapping notes
+
+- **`event.action` not mapped** — `cyera.event.type` holds the canonical vendor operation (`scanEvent`, `IssueStatusChangedToClosedEvent`, etc.) but is never copied to `event.action`. Recommended enhancement: `set event.action` from `cyera.event.type` on the **event** stream (preserve vendor PascalCase or lowercase per ECS convention).
+- **No ECS `*.target.*` today** — richest target identity lives under `cyera.*` vendor fields (`datastore`, `issue`, `policy`, `target_classifications`) or generic `cloud.service.name`. Enhancement: promote typed targets to `entity.target.*`, `service.target.name`, or `user.target.*` by object type.
+- **Event `user.name` stores full email without dissect** — unlike **datastore**/**issue** pipelines, event stream does not split `user.email`/`user.domain`; `user.name: jdoe@stark-industries.com` is partial ECS mapping.
+- **`cyera.event.user` removed by default** — duplicate-removal step strips vendor actor unless `preserve_duplicate_custom_fields` tag present; ECS `user.name` remains.
+- **`service.name` on datastore conflates inventory name with service** — `json.name` (datastore label) copied to `service.name`; should not be read as Layer 1 cloud service (use `cloud.service.name` from `infrastructure`).
+- **`user.*` on datastore/issue is ownership, not audit actor/target mapping** — owner emails and Cyera user IDs populate `user.*`/`related.user` on state snapshots; semantically Layer 2 accountability targets (`user.target.*`), not actors.
+- **`target_classifications` vendor naming** — flagged in `vendor_target_special_cases.csv`; Cyera destination sensitivity labels, not ECS target entity fields.
+- **No `destination.user.*` / `destination.host.*`** — cyera absent from `destination_identity_hits.csv`.
+- **`event.kind` always `alert`** on event stream — human and system-origin platform events share `alert`, not `event`.
+- **Target-fields audit alignment** — `moderate_candidate`: strong fixtures (`fixture_strong=true`) but no tier-A ECS target fields and heuristic `pipeline_actor=false` despite event `user.name` mapping.
+
+### Per-stream notes
+
+#### `event`
+
+True platform activity log. **Action:** `cyera.event.type` names the operation (`scanEvent`, `IssueStatusChangedToClosedEvent`, `M365SensitivityLabelRemediationFinishedEvent`, `DisablePolicyEvent`, `CreateSensitivityLabelPolicyEvent`); `event.action` is empty — primary enhancement candidate. Actor: portal **user** when `json.user` present; **service** (Cyera automation) when absent (`BySystem` resolution, M365 remediation, policy creation without user). Target Layer 1: `cloud.service.name` from embedded datastore infrastructure. Layer 2: typed by `cyera.event.type` — datastore (`scanEvent`), issue (`IssueStatusChangedToClosedEvent`, remediation), policy (`DisablePolicyEvent`, `CreateSensitivityLabelPolicyEvent`), data classes (`affected.data_class_appearances`, `target_classifications`). Layer 3: report delivery (`report.*`, `recipients[]`), ITSM ticket (`vendor.*`), M365 label assignment counters.
+
+#### `classification`
+
+Data-class taxonomy inventory (`event.kind: event`). No audit actor; no per-event action (inventory sync). Layer 2 target: the classification record (`cyera.classification.*`). `observer.vendor: Cyera` identifies the polling integration only.
+
+#### `datastore`
+
+Discovered datastore inventory (`event.kind: event`). No audit actor; no per-event action (discovery poll). Layer 1: `cloud.service.name` from `infrastructure`. Layer 2: repository identity (`uid`, `arn`, `azure_id`, `type`, encryption/logging posture). Owner emails in `user.*` are accountability metadata.
+
+#### `issue`
+
+Open data-security risk state (`event.kind: alert`). No audit actor; no per-event action (finding snapshot, not platform mutation). Layer 1: `cloud.service.name` (e.g. `OneDrive`). Layer 2: issue finding (`cyera.issue.uid`, severity, risk status) plus linked datastore (`datastore_uid`, `datastore_name`). Owner and `datastore_owners[]` in `user.*`/`related.user` are remediation contacts.
+
+## Example Event Graph
+
+Examples below come from the **`event`** stream (`cyera.event`) — the only true platform activity log. The **classification**, **datastore**, and **issue** streams are inventory and risk-state snapshots (CEL API polls); they have no per-event Actor → action → Target chain. `event.action` is absent in all fixtures; actions are derived from `cyera.event.type`.
+
+### Example 1: Datastore scan with sensitive data findings
+
+**Stream:** `cyera.event` · **Fixture:** `packages/cyera/data_stream/event/_dev/test/pipeline/test-event.log-expected.json`
+
+```
+Portal analyst (jdoe@stark-industries.com) → scanEvent → cloud datastore stark-db-prod (Azure SQL)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | jdoe@stark-industries.com |
+| type | user |
+
+**Field sources:**
+- `name ← user.name` (from `json.user`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | scanEvent |
+| source_field | `cyera.event.type` |
+| source_value | `scanEvent` |
+
+**Not mapped to ECS today** — pipeline renames `json.type` to `cyera.event.type` only; `event.action` is empty in fixture.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | ds-12345 |
+| name | stark-db-prod |
+| type | general |
+| sub_type | cloud_datastore |
+
+**Field sources:**
+- `id` ← `cyera.event.datastore.uid`
+- `name` ← `cyera.event.datastore.name`
+- Platform backing the datastore: `cloud.service.name` = `Azure SQL` (from `cyera.event.datastore.infrastructure`) — Layer 1 scope, not the primary acted-upon object
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: jdoe@stark-industries.com"] --> E["scanEvent"]
+  E --> T["Target: stark-db-prod"]
+```
+
+### Example 2: Portal user disables sensitivity-label policy
+
+**Stream:** `cyera.event` · **Fixture:** `packages/cyera/data_stream/event/_dev/test/pipeline/test-event.log-expected.json`
+
+```
+Portal operator (joey.example@google.io) → DisablePolicyEvent → sensitivity-label policy
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | joey.example@google.io |
+| type | user |
+
+**Field sources:**
+- `name ← user.name` (from `json.user`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | DisablePolicyEvent |
+| source_field | `cyera.event.type` |
+| source_value | `DisablePolicyEvent` |
+
+**Not mapped to ECS today.**
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 019862ad-xxxx-75f4-9ccd-de236d0d4d80 |
+| name | Files missing [*sensitivity_label*] sensitivity label |
+| type | general |
+| sub_type | policy |
+
+**Field sources:**
+- `id ← cyera.event.policy.uid`
+- `name ← cyera.event.policy.name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: joey.example@google.io"] --> E["DisablePolicyEvent"]
+  E --> T["Target: Files missing [*sensitivity_label*] sensitivity label"]
+```
+
+### Example 3: Platform automation closes data-security issue
+
+**Stream:** `cyera.event` · **Fixture:** `packages/cyera/data_stream/event/_dev/test/pipeline/test-event.log-expected.json`
+
+```
+Cyera platform automation → IssueStatusChangedToClosedEvent → data-security issue (mock-issue-uid-001)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | service |
+
+**Field sources:**
+- No `user.*` in fixture; `cyera.event.issue.resolution.value: BySystem` indicates system-driven closure — Cyera platform automation, not a portal user.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | IssueStatusChangedToClosedEvent |
+| source_field | `cyera.event.type` |
+| source_value | `IssueStatusChangedToClosedEvent` |
+
+**Not mapped to ECS today.**
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | mock-issue-uid-001 |
+| name | Mock Policy - Missing Label |
+| type | general |
+| sub_type | issue |
+
+**Field sources:**
+- `id ← cyera.event.issue.uid`
+- `name ← cyera.event.policy.name` (linked policy context on the closed issue)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Cyera automation"] --> E["IssueStatusChangedToClosedEvent"]
+  E --> T["Target: mock-issue-uid-001"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, four `data_stream/` dirs with Tier A fixtures). Router: **`data_stream.dataset`**. Only **`cyera.event`** carries a per-action Actor → operation → Target chain; **`cyera.classification`**, **`cyera.datastore`**, and **`cyera.issue`** are inventory/risk snapshots (excluded). Pass 4 is **fill-gaps-only**: detection flags first; mapped columns use preserve-first `CASE` with valid arity — **5-arg** `CASE(exists_flag, col, <boolean>, fallback, null)` or **3-arg** `CASE(exists_flag, col, fallback)` when the fragment is already scoped to `cyera.event`; never **4-arg** `CASE(flag, col, vendor_field, null)` (the vendor field parses as a condition). Fallback sources must differ from the output column (Pass 4 §10). Secondary routing on **`cyera.event.type`** selects vendor target paths (`cyera.event.datastore.*`, `cyera.event.policy.*`, `cyera.event.issue.*`). Portal **user** when ingest sets `user.name` (`json.user`); **service** actor literal `"Cyera"` when `user.name` is null (Pass 3 system-driven events). Do not map inventory-stream `user.*` as audit actors. **Pass 4 (tautology cleanup):** `user.name` omitted from actor `EVAL` — ingest-only, no alternate query-time source; no `CASE(col, col, …)` identity branches.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `cyera.event` | platform activity | user, service | general, service | partial |
+| `cyera.classification` | taxonomy inventory | — | — | none |
+| `cyera.datastore` | datastore inventory | — | — | none |
+| `cyera.issue` | risk finding snapshot | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.name` | `json.user` → `user.name` (`event/default.yml`) | `data_stream.dataset == "cyera.event"` | high | **ingest-only — no ES\|QL** — portal email in `user.name`; no alternate indexed source; **omit** — `CASE(actor_exists, user.name, user.name, null)` is identity no-op |
+| `service.name` | `"Cyera"` | `data_stream.dataset == "cyera.event" AND user.name IS NULL` | medium | **semantic literal**; fallback when no portal user (`BySystem`, M365 remediation, policy create) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.id` | `cyera.event.datastore.uid` | `data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent"` | high | **vendor fallback** |
+| `entity.target.name` | `cyera.event.datastore.name` | `data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent"` | high | **vendor fallback** |
+| `entity.target.id` | `cyera.event.policy.uid` | `data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent"` | high | **vendor fallback** |
+| `entity.target.name` | `cyera.event.policy.name` | `data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent"` | high | **vendor fallback** |
+| `entity.target.id` | `cyera.event.issue.uid` | `data_stream.dataset == "cyera.event" AND cyera.event.type IN ("IssueStatusChangedToClosedEvent", "M365SensitivityLabelRemediationFinishedEvent")` | high | **vendor fallback** |
+| `entity.target.name` | `cyera.event.policy.name` | `data_stream.dataset == "cyera.event" AND cyera.event.type IN ("IssueStatusChangedToClosedEvent", "M365SensitivityLabelRemediationFinishedEvent")` | high | **vendor fallback** — linked policy name on issue events |
+| `service.target.name` | `cloud.service.name` | `data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent"` | high | **vendor fallback** — promote Layer 1 `cloud.service.name` → `service.target.name` when `NOT target_exists` (e.g. `Azure SQL`) |
+
+#### Event action
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `cyera.event.type` | `data_stream.dataset == "cyera.event" AND cyera.event.type IS NOT NULL` | high | **vendor fallback** — ingest renames `json.type` only; `event.action` absent in all fixtures |
+
+`actor_exists` omits `user.id` — event stream has no indexed `user.id` (Pass 2).
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers (when needed)
+
+Set in **fallback** only when `NOT target_exists`:
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent", "general",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", "cloud_datastore",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", "policy",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent", "issue",
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent", "m365_remediation",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+`user.name` is **ingest-only** (`json.user` copy) — omitted per Pass 4 §10 (no alternate query-time source).
+
+```esql
+| EVAL
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "cyera.event" AND user.name IS NULL, "Cyera",
+    null
+  )
+```
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(event.action IS NOT NULL, event.action, cyera.event.type, null)` (4 args — `cyera.event.type` is a **condition**). Right: **3-arg** `CASE(event.action IS NOT NULL, event.action, cyera.event.type)` or **5-arg** with a boolean guard before the vendor field. Mapped columns use `<col> IS NOT NULL` preserve — not `CASE(actor_exists|target_exists|action_exists, <col>, …)`.
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IS NOT NULL, cyera.event.type,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cyera.event.datastore.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", cyera.event.policy.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "IssueStatusChangedToClosedEvent", cyera.event.issue.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "M365SensitivityLabelRemediationFinishedEvent", cyera.event.issue.uid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cyera.event.datastore.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", cyera.event.policy.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IN ("IssueStatusChangedToClosedEvent", "M365SensitivityLabelRemediationFinishedEvent"), cyera.event.policy.name,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cloud.service.name,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "cyera.event" AND user.name IS NULL, "Cyera",
+    null
+  ),
+  event.action = CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "cyera.event", cyera.event.type, null)
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cyera.event.datastore.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", cyera.event.policy.uid,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IN ("IssueStatusChangedToClosedEvent", "M365SensitivityLabelRemediationFinishedEvent"), cyera.event.issue.uid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cyera.event.datastore.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "DisablePolicyEvent", cyera.event.policy.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type IN ("IssueStatusChangedToClosedEvent", "M365SensitivityLabelRemediationFinishedEvent"), cyera.event.policy.name,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "cyera.event" AND cyera.event.type == "scanEvent", cloud.service.name,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, cyera.event.type, user.name, service.name, entity.target.id, entity.target.name, service.target.name
+```
+
+### Streams excluded
+
+- **`cyera.classification`** — data-class taxonomy inventory poll; no acting user or per-event target.
+- **`cyera.datastore`** — discovered datastore inventory; `user.*` is owner metadata, not audit actor/target.
+- **`cyera.issue`** — open risk finding snapshot; owners are remediation contacts, not platform actors.
+
+### Gaps and limitations
+
+- **`CreateSensitivityLabelPolicyEvent`** — fixture has no `cyera.event.policy.*`; omit `entity.target.id`/`name` until Tier A evidence exists.
+- **`user.email` / `user.domain`** — event stream stores full email in `user.name` without dissect (unlike datastore/issue pipelines).
+- **`cyera.event.target_classifications[]`** — vendor destination sensitivity labels, not ECS targets; do not map to `entity.target.*`.
+- **`user.*` on datastore/issue** — ownership metadata; excluded per Pass 2 **Mapping correct?** = no for actor role.
+- **`service.name` on datastore stream** — inventory label (`json.name`); excluded; use `cloud.service.name` for Layer 1 only.
+- **Ingest enhancement** — Pass 2 recommends `set event.action` from `cyera.event.type`; ES|QL above is query-time until ingest changes.
+- **Pass 2 alignment** — no indexed `*.target.*` today; all target columns are vendor fallbacks when `NOT target_exists`.
+- **Pass 4 tautology cleanup (§10)** — `user.name` omitted from actor `EVAL` (ingest-only); no `CASE(actor_exists, user.name, …, user.name, null)` or dataset-routed `user.name` fallback; `event.action` and `entity.target.*` / `service.target.name` use distinct fallback sources (`cyera.event.type`, vendor `cyera.event.*`, `cloud.service.name`).
+- **Pass 4 CASE syntax** — `event.action` and all mapped target columns use column-level `IS NOT NULL` preserve; **3-arg** / **5-arg** / **7-arg** only (no flag-first `CASE` on mapped outputs, no **4-arg** bare-field-before-`null`). Full pipeline fragment aligned with combined `EVAL` blocks.
diff --git a/dev/domain/p1/darktrace.md b/dev/domain/p1/darktrace.md
new file mode 100644
index 00000000000..5c3effcd746
--- /dev/null
+++ b/dev/domain/p1/darktrace.md
@@ -0,0 +1,496 @@
+# darktrace
+
+## Product Domain
+
+Darktrace is an AI-powered network cyber defense platform that detects and investigates emerging threats that evade signature-based security tools. Powered by Enterprise Immune System technology, it uses unsupervised machine learning and mathematical models to establish a baseline of normal behavior for every user, device, and network connection, then flags deviations in real time. Deployed passively via physical or virtual sensors (vSensors) and network taps, Darktrace performs deep packet inspection and protocol analysis across east-west and north-south traffic without relying on predefined rules or threat intelligence feeds.
+
+At the core of Darktrace's detection model are **models**—configurable logic that defines conditions for alerting on pattern-of-life anomalies, potentially malicious behavior, and compliance violations. When a model's thresholds are met, a **model breach** is generated with contextual device, connection, and filter details. **AI Analyst** layers automated investigation on top of model breaches: it reviews detections, correlates related activity into incidents, assigns attack-phase context, and produces human-readable summaries and titles for analyst triage. Optional **Antigena** response actions can autonomously contain threats at the network level.
+
+Darktrace is categorized as network security monitoring with NIDS-like capabilities, but its detection philosophy differs from signature-driven IDS platforms such as Suricata or Snort. Rather than matching known attack patterns, it learns what is normal for each environment and surfaces subtle indicators of compromise—beaconing, lateral movement, data exfiltration, insider misuse, and zero-day activity—that traditional perimeter defenses miss. The Threat Visualizer console provides visualization, investigation workflows, and syslog/API export for downstream SIEM integration.
+
+## Data Collected (brief)
+
+The integration collects Darktrace alert logs via Elastic Agent over **HTTP JSON API**, **TCP syslog**, or **UDP syslog** into three data streams:
+
+| Data stream | Description |
+|---|---|
+| **ai_analyst_alert** | AI Analyst incident events—investigations of suspicious activity with titles, summaries, AIA scores, attack phases, breach devices, related model breaches, activity periods, and structured detail sections (e.g., connection counts, targeted IPs, ports) |
+| **model_breach_alert** | Model breach alerts when behavioral models fire—breaching device identity (IP, hostname, MAC, subnet, type), model metadata (name, category, tags, MITRE mappings), breach score, and triggered components with filter logic (beaconing, rare domains/IPs, JA3, ASN, ports, protocols) |
+| **system_status_alert** | Platform health and operational alerts—probe/sensor status, traffic monitoring changes, and errors from Darktrace Security Modules (hostname, priority, status, resolution state); syslog only (not available via REST API) |
+
+Events are parsed into ECS fields (`event`, `host`, `rule`, `threat`, `message`, `related`) with Darktrace-specific fields under `darktrace.*`. AI Analyst and model breach alerts map to threat/network categories with risk scores; system status alerts cover infrastructure health rather than threat detections.
+
+## Expected Audit Log Entities
+
+Darktrace exports are **network behavioral detections**, not identity-centric audit logs. The three data streams are **audit-adjacent** at best: `ai_analyst_alert` and `model_breach_alert` describe ML-driven threat findings (breaching device + connection context); `system_status_alert` is operational platform health (probe/sensor status). There is no IAM-style caller principal, no `source.*` / `destination.*` ECS mapping, and no populated ECS `*.target.*` fields (`target_fields_audit.csv` has no darktrace row). Endpoints land on `host.*` and `related.*`, with rich connection and filter context retained under `darktrace.*`.
+
+**Event action:** `event.action` is populated **only** on `model_breach_alert` when Antigena response metadata is present (`automatic` in `test-model-breach-alert.log-expected.json`; absent in `sample_event.json` where `antigena: {}`). `ai_analyst_alert` and `system_status_alert` have no `event.action` in fixtures or pipelines — vendor fields `summariser`, `title`, `model.name`, and `alert_name` are the primary action candidates. `event.type` (`indicator`, `connection`, `info`) and `event.category` (`threat`, `network`) describe event class, not the operation verb.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| Model breach fired | detection | high | `rule.name` ← `model.name`: `Compromise::Beaconing Activity To External Rare` (`model_breach_alert/sample_event.json`; `default.yml` L908–913) | Default per-event action when no Antigena response; maps to `rule.name`, not `event.action` |
+| Antigena automatic containment | configuration_change | high | `event.action`: `automatic` ← `model.actions.antigena.action` (`test-model-breach-alert.log-expected.json`; `default.yml` L535–542) | `model_breach_alert` only; overlays breach detection when Antigena block is configured |
+| AI Analyst investigation opened | detection | high | `event.reason` ← `title`: `Extensive Unusual SSH Connections`; `summariser`: `AdminConnSummary` (`ai_analyst_alert/sample_event.json`; `default.yml` L768–786) | Investigation narrative action; title mapped to `event.reason`, not `event.action` |
+| Platform module health degradation | configuration_change | moderate | `alert_name`: `Advanced Search`; `name`: `advanced_search` (`system_status_alert/sample_event.json`; `default.yml` L160–190) | Operational alert type, not threat detection |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | yes (conditional) | partial | `automatic` | no | `copy_from: darktrace.model_breach_alert.model.actions.antigena.action` (`model_breach_alert/default.yml` L539–542); only when Antigena action present |
+| `darktrace.model_breach_alert.model.actions.antigena.action` | yes (via `event.action`) | partial | `automatic` | no | Vendor source for Antigena response verb; empty `{}` in most beaconing breaches (`sample_event.json`) |
+| `rule.name` / `darktrace.model_breach_alert.model.name` | no | n/a | `Compromise::Beaconing Activity To External Rare` | yes | Primary breach-detection action candidate when Antigena absent; already on `rule.name` (`default.yml` L908–913) |
+| `darktrace.ai_analyst_alert.summariser` | no | n/a | `AdminConnSummary` | yes | Investigation template / summariser type (`ai_analyst_alert/default.yml` L768–769; `sample_event.json`) |
+| `darktrace.ai_analyst_alert.title` / `event.reason` | no (maps to `event.reason`) | partial | `Extensive Unusual SSH Connections` | yes | Human-readable incident action; `title` → `event.reason` not `event.action` (`default.yml` L780–786) |
+| `darktrace.system_status_alert.alert_name` / `name` | no | n/a | `Advanced Search` / `advanced_search` | yes | Platform health alert identifier (`system_status_alert/default.yml` L160–190; `sample_event.json`) |
+| `event.type` | no | n/a | `indicator`, `connection`, `info` | no | Event class (`threat`/`network`/`info`), not operation verb — do not substitute for `event.action` |
+| `event.category` | no | n/a | `threat`, `network` | no | Static or script-derived category (`ai_analyst_alert/default.yml` L38–39; `model_breach_alert/default.yml` L38–57) |
+
+**Per-stream action check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `ai_analyst_alert` | no | no | `darktrace.ai_analyst_alert.summariser` (`AdminConnSummary`); alternate `darktrace.ai_analyst_alert.title` | high | `test-ai-analyst-alert.log-expected.json`; `default.yml` L768–786 |
+| `model_breach_alert` | yes (Antigena events only) | yes | `darktrace.model_breach_alert.model.actions.antigena.action`; fallback `rule.name` / `model.name` | high | `test-model-breach-alert.log-expected.json` `action: automatic`; `sample_event.json` no action |
+| `system_status_alert` | no | no | `darktrace.system_status_alert.alert_name` (`Advanced Search`) | moderate | `sample_event.json`; `default.yml` L160–190 |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Breaching / originating network device | host | — | high | `breachDevices` / `device` → `host.id` (`did`), `host.ip`, `host.hostname`, `host.mac`, `host.type`; vendor mirror `darktrace.*.breach_devices.*` / `darktrace.model_breach_alert.device.*` (`ai_analyst_alert/default.yml` L84–273; `model_breach_alert/default.yml` L137–492; `test-ai-analyst-alert.log-expected.json` `did: 10`, `linux.local`, `81.2.69.144`; `sample_event.json` desktop `did: 3`, `81.2.69.142`) | Primary actor for `ai_analyst_alert`, `model_breach_alert` |
+| Device echoed in investigation details | host | — | high | `details` device sections (`header: "Breaching Device"`, `type: device`) enrich `related.ip` / `related.hosts` but do not overwrite `host.*` (`ai_analyst_alert/default.yml` L313–521; fixture IPs `175.16.199.1`, `81.2.69.192`) | `ai_analyst_alert` only |
+| Historic device IPs | host | — | moderate | `device.ips.*` loop appends past IPs to `related.ip` (`model_breach_alert/default.yml` L242–321) | `model_breach_alert` only |
+| Probe / vSensor / master instance | host | — | high | `hostname` / `ip_address` → `host.hostname`, `host.ip`; `related.hosts`, `related.ip` (`system_status_alert/default.yml` L109–147; `sample_event.json` `example-vsensor`, `175.16.199.1`) | `system_status_alert`; on disconnection alerts `hostname`/`ip_address` may refer to master, not child (`fields.yml` description) |
+| Model configurator / editor | user | — | moderate | `model.created.by`, `model.edited.by` → `related.user`, `rule.author` (`model_breach_alert/default.yml` L651–744; `sample_event.json` `"System"`) | Admin metadata, not the network actor |
+| Acknowledging analyst | user | — | moderate | `acknowledged.username` → `related.user` when breach acknowledged (`model_breach_alert/default.yml` L1122–1128; `fields.yml`) | `model_breach_alert` only; no `user.name` |
+| User-triggered investigation | — | — | low | `darktrace.ai_analyst_alert.is_user_triggered` boolean only; pipeline does not map analyst identity (`ai_analyst_alert/default.yml` L611–619; `fields.yml`) | Flag without principal fields |
+| External trigger | — | — | low | `darktrace.ai_analyst_alert.is_external_triggered` boolean; no external principal mapped (`fields.yml`) | `ai_analyst_alert` only |
+| Probe child identifier | general | device | moderate | `darktrace.system_status_alert.child_id` — unique probe ID (`system_status_alert/default.yml` L163–171; `sample_event.json` `child_id: 1`) | `system_status_alert` only |
+
+No **service** actor is populated. Darktrace sensor identity appears only in syslog envelope (`log.syslog.hostname`: `example.cloud.darktrace.com`) — collector transport context, not the traffic actor. Antigena `event.action` (`automatic`) describes the **response verb**, not a separate actor entity — see Event action section.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `host.id` | Breaching device Darktrace ID | yes | yes | high | `breachDevices[].did` / `device.did` → string `host.id` (`ai_analyst_alert/default.yml` L104–118; `model_breach_alert/default.yml` L150–160) |
+| `host.ip` | Breaching device address | yes | yes | high | `breachDevices[].ip` / `device.ip`/`ip6` (`ai_analyst_alert/default.yml` L190–214; `model_breach_alert/default.yml` L200–241) |
+| `host.hostname` | Breaching device hostname | yes | yes | high | Non-IP hostname from `breachDevices` / `device.hostname` (`ai_analyst_alert/default.yml` L124–134; `model_breach_alert/default.yml` L176–185; fixture `linux.local`) |
+| `host.mac` | Breaching device MAC | yes | yes | high | Normalized MAC from breach device arrays (`ai_analyst_alert/default.yml` L220–243; `model_breach_alert/default.yml` L337–349) |
+| `host.type` | Device class label | yes | yes | high | `device.type_name` → `host.type` (`model_breach_alert/default.yml` L481–488; `sample_event.json` `desktop`) |
+| `host.name` | Device identifier (non-IP) | yes | yes | moderate | `identifier` when not parseable as IP (`ai_analyst_alert/default.yml` L154–184) |
+| `related.ip` | Correlation IPs (actor + detail peers) | yes | partial | high | Aggregates breaching device, detail-section devices, and historic IPs — mixes actor and target endpoints (`ai_analyst_alert/default.yml` L140–456; `model_breach_alert/default.yml` L186–261) |
+| `related.hosts` | Correlation hostnames | yes | partial | high | From `host.hostname`, detail `identifier`/`hostname` (`ai_analyst_alert/default.yml` L145–184; `system_status_alert/default.yml` L128–131) |
+| `related.user` | Model admin / acknowledging analyst | yes | partial | moderate | `model.created.by`, `model.edited.by`, `acknowledged.username` — config/ack metadata, not network actor (`model_breach_alert/default.yml` L654–744, L1122–1128) |
+| `rule.author` | Model creator | yes | partial | moderate | `model.created.by` only (`model_breach_alert/default.yml` L659–663) |
+| `darktrace.ai_analyst_alert.breach_devices.*` | Canonical breaching device (vendor) | yes (vendor) | n/a | high | Full vendor device tree retained (`ai_analyst_alert/default.yml` L269–271) |
+| `darktrace.model_breach_alert.device.*` | Canonical breaching device (vendor) | yes (vendor) | n/a | high | Includes `ips`, `tags`, `credentials`, `sid` (`model_breach_alert/default.yml`; `fields.yml`) |
+| `darktrace.ai_analyst_alert.is_user_triggered` | Analyst-initiated flag | yes (vendor) | n/a | low | Boolean only; no username (`fields.yml`) |
+| `darktrace.system_status_alert.child_id` | Probe identifier | yes (vendor) | n/a | moderate | Numeric probe ID (`fields.yml`; `sample_event.json`) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Network protocol / service | Application protocol or destination port in connection context | SSH (:22), HTTPS (:443), DNS (:53), TCP (protocol 6) | service | — | moderate | `"Destination port": 22` in AI Analyst `details`; triggered filter `filter_type: "Destination port"` / `"Application protocol"` / `"Protocol"` with `trigger.value` (`test-ai-analyst-alert.log-expected.json`; `sample_event.json` beaconing filters) | Not mapped to `destination.port` or `network.protocol` |
+| 2 — Host / endpoint peer | Remote or internal IP/hostname that satisfied model logic or appears in investigation | External server, lateral-movement victim, rare external IP | host | — | high | AI Analyst `"Targeted IP ranges include"` → `related.ip` (`81.2.69.192`, `175.16.199.3`); model breach display filters `Destination IP` (`81.2.69.192`), `Connection hostname` (`example.com`) in `triggered_filters.trigger.value` (`ai_analyst_alert/default.yml` L335–456; `sample_event.json`) | Peers live in `related.ip` or vendor filters — no `destination.ip` |
+| 2 — Connection attributes | ASN, JA3, direction, beacon score | AS12345, JA3 hash, outbound flow | general | asn, ja3_hash, flow_metric | moderate | Display/comparator filters: `ASN`, `JA3 hash`, `Direction`, `Beaconing score`, `Rare external IP` (`sample_event.json`; `fields.yml`) | Model-evidence metadata; vendor-only |
+| 3 — Detection rule / incident | Behavioral model, MITRE technique, incident grouping | Darktrace model, AI Analyst incident | general | detection-rule, technique, incident | high | `rule.name`/`rule.uuid`/`rule.category` ← `model.*`; `rule.name` ← `related_breaches.model_name`; `threat.technique.*` ← `mitre_techniques`; `threat.group.id` ← `current_group`/`activity_id`; `threat.enrichments.matched.id` ← `children` (`model_breach_alert/default.yml`; `ai_analyst_alert/default.yml` L281–311, L745–766) | Layer 3 correlation, not network endpoint |
+| 3 — Platform component (operational) | Degraded Darktrace module on probe/sensor | Advanced Search, probe module | general | platform_module | high | `darktrace.system_status_alert.alert_name` / `name` (e.g. `advanced_search`, `"Advanced Search"`) on same `host.*` as actor (`sample_event.json`) | `system_status_alert` only; not a threat target |
+| 3 — Resource URL | Support / ticket link embedded in alert | Support portal URL | general | url | moderate | `event.url` ← `incident_event_url` / `breach_url` / `system_status_alert.url` (`ai_analyst_alert/default.yml` L569–583; `model_breach_alert/default.yml` L81–95; `system_status_alert/default.yml` L94–108) | Reference link, not acted-upon resource |
+
+**system_status_alert** has no threat/network peer targets — operational telemetry only (`event.type: info`, no `event.category: threat`).
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `related.ip` | 2 | host | yes | partial | context-only | yes → `host.target.ip` | Detail-section and filter IPs appended alongside actor IP — conflates actor and target (`ai_analyst_alert/default.yml` L335–456; fixture `81.2.69.192`, `175.16.199.3`) |
+| `related.hosts` | 2 | host | yes | partial | context-only | yes → `host.target.hostname` | Hostnames from detail devices (`ai_analyst_alert/default.yml` L374–434; fixture `linux.local`) |
+| `darktrace.ai_analyst_alert.details` | 1/2 | service/host | yes (vendor) | n/a | — | yes | `"Destination port": 22`, `"Targeted IP ranges include"` device arrays — richest target context, vendor-only (`test-ai-analyst-alert.log-expected.json`) |
+| `darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.value` | 1/2 | host/service/general | yes (vendor) | n/a | — | yes → `destination.ip`/`destination.domain`/`destination.port` or `host.target.*` | Display filters: `Destination IP` `81.2.69.192`, `Connection hostname` `example.com`, port `443`, JA3, ASN (`sample_event.json`) |
+| `darktrace.model_breach_alert.triggered_components.triggered_filters.filter_type` | 1/2 | general | yes (vendor) | n/a | — | no | Labels filter semantics (`Connection hostname`, `Rare external IP`, etc.) |
+| `rule.name`, `rule.uuid`, `rule.category`, `rule.description`, `rule.ruleset` | 3 | general | yes | yes | context-only | no | Behavioral model metadata ← `model.*` / `related_breaches.model_name` (`model_breach_alert/default.yml` L647–981; `ai_analyst_alert/default.yml` L745–766) |
+| `threat.technique.id`, `threat.technique.name` | 3 | general | yes | yes | context-only | no | MITRE from `mitre_techniques` (`model_breach_alert/default.yml` L493–534) |
+| `threat.group.id` | 3 | general | yes | yes | context-only | partial → `entity.target.id` | Incident correlation ID (`ai_analyst_alert/default.yml` L305–311, L535–539) |
+| `threat.enrichments.matched.id` | 3 | general | yes | yes | context-only | no | Child incident UUIDs (`ai_analyst_alert/default.yml` L281–284) |
+| `darktrace.model_breach_alert.aianalyst_data.uuid` | 3 | general | yes (vendor) | n/a | — | no | Cross-reference to AI Analyst incident (`sample_event.json`) |
+| `darktrace.model_breach_alert.model.logic.target_score` | — | — | yes (vendor) | no | — | no | Model scoring threshold (numeric `1`), **not** an entity target — false positive in `vendor_target_special_cases.csv` |
+| `event.url` | 3 | general | yes | yes | context-only | no | Incident/breach/support URLs (`ai_analyst_alert/default.yml` L569–583; `system_status_alert/default.yml` L94–108) |
+| `darktrace.system_status_alert.alert_name` / `name` | 3 | general | yes (vendor) | n/a | — | no | Platform module identifier (`sample_event.json` `advanced_search`) |
+
+No `destination.user.*`, `destination.host.*`, `source.*`, `cloud.service.name`, or ECS `*.target.*` fields are mapped today. Package absent from `destination_identity_hits.csv`.
+
+### Gaps and mapping notes
+
+- **Not audit logs** — Darktrace alerts describe ML-detected network behavior; actor is the breaching device (`host.*`), not an IAM principal. `target_enhancement_packages.csv` classifies darktrace as **moderate_candidate** with `fixture_strong: true` but no pipeline destination-identity or ECS Tier-A target mappings.
+- **`related.ip` conflates actor and target** — Breaching device IPs and targeted peer IPs from `details` share one correlation array; cannot distinguish actor from target without parsing `darktrace.ai_analyst_alert.details` or filter `filter_type`.
+- **Connection targets vendor-only** — External IPs, hostnames, ports, JA3, and ASN from model breach display filters remain under `darktrace.model_breach_alert.triggered_components.*`; no `destination.ip`, `destination.domain`, or `destination.port` ECS mapping despite clear network-peer semantics.
+- **`related.user` is admin metadata, not actor** — `model.created.by` / `model.edited.by` (`"System"`) and `acknowledged.username` populate `related.user` but identify model configurators or acknowledging analysts, not the device performing suspicious connections.
+- **`darktrace.model_breach_alert.model.logic.target_score`** — Vendor field name contains "target" but holds model logic scoring threshold; not an ECS target entity (`vendor_target_special_cases.csv` false positive).
+- **No de-facto `destination.*` targets** — Unlike firewall or auth integrations, pipelines never map peer endpoints to `destination.user.*` or `destination.host.*`; enhancement would require new pipeline steps from `details` device arrays and display-filter values.
+- **AI Analyst vs model breach actor IP mismatch** — In fixtures, `breach_devices` IP (`81.2.69.144`) can differ from the IP emphasized in `details`/`summary` (`175.16.199.1`); both appear in `related.ip` but only breach-device fields populate `host.ip`.
+- **`event.action` gaps** — Only Antigena response metadata maps to `event.action` on `model_breach_alert`; most breaches (including `sample_event.json`) have empty `antigena: {}` and no action field. Recommended primary candidates: `rule.name` / `model.name` for breach detection, `summariser` or `title` for AI Analyst, `alert_name` for system status. `event.reason` ← `title` partially captures AI Analyst action but is not the ECS action field.
+
+### Per-stream notes
+
+**ai_analyst_alert** — AI-generated incident narrative with structured `details` sections (connection counts, targeted IPs, ports). Richest target context is vendor-only in `details`; ECS surface is breaching device on `host.*` plus mixed `related.*`. No `event.action`; `summariser` (`AdminConnSummary`) and `title` (`Extensive Unusual SSH Connections` → `event.reason`) name the investigation type.
+
+**model_breach_alert** — Single breaching device on `host.*` with exhaustive triggered-filter evidence for connection targets. Adds `rule.*`, optional `threat.technique.*`, MITRE mappings. `event.action` populated only when Antigena configured (`automatic`); otherwise `rule.name` (`Compromise::Beaconing Activity To External Rare`) is the de-facto detection action. Connection-category events when metric label contains "connection" (`default.yml` L44–58).
+
+**system_status_alert** — Platform health only (probe down, module inactive). Same `host.*` serves as both affected component and sole entity; no threat targets. No `event.action`; `alert_name` (`Advanced Search`) identifies the operational alert type. Syslog-only stream per README.
+
+## Example Event Graph
+
+Darktrace alerts are **audit-adjacent network behavioral detections**, not identity-centric audit logs. The examples below are drawn from all three data streams (`model_breach_alert`, `ai_analyst_alert`, `system_status_alert`) using package fixtures only.
+
+### Example 1: Beaconing to rare external endpoint
+
+**Stream:** `darktrace.model_breach_alert` · **Fixture:** `packages/darktrace/data_stream/model_breach_alert/sample_event.json`
+
+```
+Breaching desktop (81.2.69.142) → Model breach fired → External host example.com (81.2.69.192)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 3 |
+| type | host |
+| sub_type | desktop |
+| ip | 81.2.69.142 |
+
+**Field sources:**
+
+- `id` ← `host.id` ← `darktrace.model_breach_alert.device.did`
+- `type` ← `host.type` ← `darktrace.model_breach_alert.device.type_name`
+- `ip` ← `host.ip` ← `darktrace.model_breach_alert.device.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Model breach fired |
+| source_field | `rule.name` |
+| source_value | `Compromise::Beaconing Activity To External Rare` |
+
+`event.action` is absent in this fixture (`antigena: {}`); action is derived from the behavioral model name on `rule.name`, **not mapped to ECS `event.action` today**.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 81.2.69.192 |
+| name | example.com |
+| type | host |
+
+**Field sources:**
+
+- `id` ← `darktrace.model_breach_alert.triggered_components[].triggered_filters[]` where `filter_type: Destination IP`, `trigger.value: 81.2.69.192`
+- `name` ← same structure where `filter_type: Connection hostname`, `trigger.value: example.com`
+- Target peer is vendor-only; not mapped to `destination.ip` or `destination.domain` — only breaching device IP appears on `related.ip` alongside target IPs in other streams.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: desktop 81.2.69.142"] --> E["Model breach fired"]
+  E --> T["Target: example.com 81.2.69.192"]
+```
+
+### Example 2: AI Analyst SSH lateral-movement investigation
+
+**Stream:** `darktrace.ai_analyst_alert` · **Fixture:** `packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai-analyst-alert.log-expected.json`
+
+```
+Breaching device linux.local (81.2.69.144) → AdminConnSummary investigation → Targeted internal host 81.2.69.192 (SSH :22)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 10 |
+| name | linux.local |
+| type | host |
+| ip | 81.2.69.144 |
+
+**Field sources:**
+
+- `id` ← `host.id` ← `darktrace.ai_analyst_alert.breach_devices[].did`
+- `name` ← `host.hostname` ← `darktrace.ai_analyst_alert.breach_devices[].hostname`
+- `ip` ← `host.ip` ← `darktrace.ai_analyst_alert.breach_devices[].ip`
+- Investigation `details` emphasize a different IP (`175.16.199.1`) for the breaching device; that IP appears in `related.ip` but does not overwrite `host.ip`.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | AdminConnSummary investigation |
+| source_field | `darktrace.ai_analyst_alert.summariser` |
+| source_value | `AdminConnSummary` |
+
+No `event.action` in fixture; human-readable title `Extensive Unusual SSH Connections` maps to `event.reason`, not `event.action`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 81.2.69.192 |
+| name | SSH |
+| type | service |
+| sub_type | ssh |
+
+**Field sources:**
+
+- `id` ← `darktrace.ai_analyst_alert.details[]` key `Targeted IP ranges include`, first peer `ip: 81.2.69.192`
+- `name` / `sub_type` ← same `details` section key `Destination port`, `values: [22]` (SSH)
+- Additional targeted IPs (`175.16.199.1`, `175.16.199.3`) are in the same details array and merged into `related.ip` with the actor IP.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: linux.local 81.2.69.144"] --> E["AdminConnSummary investigation"]
+  E --> T["Target: 81.2.69.192 SSH :22"]
+```
+
+### Example 3: vSensor platform module health alert
+
+**Stream:** `darktrace.system_status_alert` · **Fixture:** `packages/darktrace/data_stream/system_status_alert/sample_event.json`
+
+```
+Probe example-vsensor (175.16.199.1) → Advanced Search module inactive → Advanced Search platform module
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | example-vsensor |
+| type | host |
+| ip | 175.16.199.1 |
+
+**Field sources:**
+
+- `name` ← `host.hostname` ← `darktrace.system_status_alert.hostname`
+- `ip` ← `host.ip` ← `darktrace.system_status_alert.ip_address`
+- `id` omitted — no `host.id` in fixture; probe identified by `darktrace.system_status_alert.child_id: 1` (vendor-only)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Advanced Search module inactive |
+| source_field | `darktrace.system_status_alert.alert_name` |
+| source_value | `Advanced Search` |
+
+No `event.action` in fixture; operational alert type from vendor `alert_name`, **not mapped to ECS `event.action` today**.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | advanced_search |
+| name | Advanced Search |
+| type | general |
+| sub_type | platform_module |
+
+**Field sources:**
+
+- `id` ← `darktrace.system_status_alert.name` (`advanced_search`)
+- `name` ← `darktrace.system_status_alert.alert_name` (`Advanced Search`)
+- Operational telemetry only — no network threat peer; affected module is the sole non-actor entity.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: example-vsensor 175.16.199.1"] --> E["Advanced Search module inactive"]
+  E --> T["Target: Advanced Search module"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `darktrace`, three data streams in `manifest.yml`; Tier A fixtures in `sample_event.json` and `*-expected.json`). Router: **`data_stream.dataset`** (`darktrace.ai_analyst_alert`, `darktrace.model_breach_alert`, `darktrace.system_status_alert`). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, fallback, null)` — not `CASE(actor_exists, host.ip, …, host.ip, null)` (Pass 4 §10). Ingest populates **breaching device** on `host.id` / `host.ip` / `host.mac` / `host.type` for threat streams — **ingest-only — no ES|QL** on those columns (no flat vendor alternate at query time). No ECS `*.target.*` at ingest except Pass 4 fallbacks below. Network peer targets (Pass 3 Examples 1–2) live in nested `darktrace.*.details` / `triggered_components` — omitted from target fallbacks. **`rule.name`** feeds **`event.action`** on model breaches, not `entity.target.*` (model is action context, not network target). **`related.user`** excluded from `actor_exists` (admin metadata). **`log.syslog.hostname`** is collector transport, not traffic actor. **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` identity fallbacks on ingest-populated `host.*`; only `host.name` ← `host.hostname` when `host.name` is empty.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `darktrace.ai_analyst_alert` | AI Analyst incident | host | service (semantic) | partial |
+| `darktrace.model_breach_alert` | Model breach | host | host (vendor-nested only) | partial |
+| `darktrace.system_status_alert` | Platform health | host | general (platform_module) | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.id` | — | `STARTS_WITH(data_stream.dataset, "darktrace.")` | high | **ingest-only — no ES\|QL** — `device.did` / `breach_devices[].did` → `host.id` (`model_breach_alert/default.yml` L150–160; `ai_analyst_alert/default.yml` L104–118); omit — `CASE(actor_exists, host.id, …, host.id, null)` is identity no-op |
+| `host.ip` | — | `STARTS_WITH(data_stream.dataset, "darktrace.")` | high | **ingest-only — no ES\|QL** — breach device IP at ingest; omit — no flat query-time vendor path |
+| `host.name` | `host.name` | `host.name IS NOT NULL` | high | **column-level preserve** |
+| `host.name` | `host.hostname` | `STARTS_WITH(data_stream.dataset, "darktrace.") AND host.hostname IS NOT NULL` | high | **vendor fallback** — promote hostname when `host.name` empty (`system_status_alert/sample_event.json` `example-vsensor`; `test-ai-analyst-alert.log-expected.json` `linux.local`) |
+| `host.mac` | — | `data_stream.dataset == "darktrace.model_breach_alert"` | high | **ingest-only — no ES\|QL** — MAC normalized at ingest; omit |
+| `host.type` | — | `data_stream.dataset == "darktrace.model_breach_alert"` | high | **ingest-only — no ES\|QL** — `device.type_name` → `host.type` (`sample_event.json` `desktop`); omit |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.id` | `entity.target.id` | `entity.target.id IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.id` | `darktrace.system_status_alert.name` | `data_stream.dataset == "darktrace.system_status_alert"` | high | **vendor fallback** — platform module ID (`sample_event.json` `advanced_search`) |
+| `entity.target.name` | `entity.target.name` | `entity.target.name IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.name` | `darktrace.system_status_alert.alert_name` | `data_stream.dataset == "darktrace.system_status_alert"` | high | **vendor fallback** — Pass 3 Example 3 (`Advanced Search`) |
+| `entity.target.sub_type` | `entity.target.sub_type` | `entity.target.sub_type IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.sub_type` | literal `"platform_module"` | `data_stream.dataset == "darktrace.system_status_alert"` | high | **semantic literal** |
+| `service.target.name` | `service.target.name` | `service.target.name IS NOT NULL` | low | **column-level preserve** |
+| `service.target.name` | literal `"SSH"` | `data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser == "AdminConnSummary"` | low | **semantic literal** — Pass 3 Example 2; port `22` only in nested `details` |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `event.action IS NOT NULL` | high | **column-level preserve** — Antigena only (`test-model-breach-alert.log-expected.json` `automatic`) |
+| `event.action` | `rule.name` | `data_stream.dataset == "darktrace.model_breach_alert" AND rule.name IS NOT NULL` | high | **vendor fallback** — model breach verb when Antigena absent (`sample_event.json` `Compromise::Beaconing…`) |
+| `event.action` | `darktrace.ai_analyst_alert.summariser` | `data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser IS NOT NULL` | high | **vendor fallback** — investigation template (`AdminConnSummary` in fixture) |
+| `event.action` | `darktrace.system_status_alert.alert_name` | `data_stream.dataset == "darktrace.system_status_alert"` | moderate | **vendor fallback** — operational alert type (`Advanced Search`) |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` omits `user.*` and `service.*` — no IAM principal; `related.user` is model admin / ack metadata. `target_exists` checks official `*.target.*` columns only (ingest does not populate them today). Actor/target `EVAL` blocks use **column-level** `IS NOT NULL` preserve — not `CASE(actor_exists, host.ip, …)` / `CASE(target_exists, entity.target.id, …)` — so partial future enrichment does not block vendor fallbacks (Pass 4 §10).
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers only. Mapped columns use **column-level** `<col> IS NOT NULL` as the first `CASE` branch so populated `host.id` / `host.ip` siblings do not block `host.name` ← `host.hostname` or vendor `event.action` / `entity.target.*` fallbacks.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(host.name IS NOT NULL, host.name, host.hostname, null)` (4 args — `host.hostname` is a **condition**, not a value). Wrong: `CASE(actor_exists, host.name, host.hostname, null)` (4 args — `host.hostname` parses as condition). Right: **3-arg** `CASE(event.action IS NOT NULL, event.action, rule.name)` or **5-arg** `CASE(host.name IS NOT NULL, host.name, STARTS_WITH(data_stream.dataset, "darktrace.") AND host.hostname IS NOT NULL, host.hostname, null)`. Do not use `CASE(actor_exists, host.name, …)` when `host.hostname` can set `actor_exists` while `host.name` is still empty (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR host.hostname IS NOT NULL OR host.mac IS NOT NULL OR host.type IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+Omitted from actor `EVAL` (ingest-only — no alternate query-time source): `host.id`, `host.ip`, `host.mac`, `host.type` (breaching device promoted at ingest; nested `darktrace.*.device` / `breach_devices` not flat for ES|QL).
+
+```esql
+| EVAL
+  host.name = CASE(
+    host.name IS NOT NULL, host.name,
+    STARTS_WITH(data_stream.dataset, "darktrace.") AND host.hostname IS NOT NULL, host.hostname,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "darktrace.model_breach_alert" AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser IS NOT NULL, darktrace.ai_analyst_alert.summariser,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL, darktrace.system_status_alert.alert_name,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.name IS NOT NULL, darktrace.system_status_alert.name,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL, darktrace.system_status_alert.alert_name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "darktrace.system_status_alert", "platform_module",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser == "AdminConnSummary", "SSH",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR host.hostname IS NOT NULL OR host.mac IS NOT NULL OR host.type IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.name = CASE(
+    host.name IS NOT NULL, host.name,
+    STARTS_WITH(data_stream.dataset, "darktrace.") AND host.hostname IS NOT NULL, host.hostname,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "darktrace.model_breach_alert" AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser IS NOT NULL, darktrace.ai_analyst_alert.summariser,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL, darktrace.system_status_alert.alert_name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.name IS NOT NULL, darktrace.system_status_alert.name,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "darktrace.system_status_alert" AND darktrace.system_status_alert.alert_name IS NOT NULL, darktrace.system_status_alert.alert_name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "darktrace.system_status_alert", "platform_module",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "darktrace.ai_analyst_alert" AND darktrace.ai_analyst_alert.summariser == "AdminConnSummary", "SSH",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, host.id, host.ip, host.name, host.hostname, entity.target.id, entity.target.name, service.target.name, rule.name
+```
+
+### Streams excluded
+
+None — all three streams receive partial extraction (actor preserve, action/target fallbacks where defensible).
+
+### Gaps and limitations
+
+- **Network peer targets vendor-only** — Pass 3 external host `81.2.69.192` / `example.com` live in `darktrace.model_breach_alert.triggered_components[].triggered_filters[]` (`filter_type: Destination IP`, `Connection hostname`); `darktrace.ai_analyst_alert.details` keyed sections — not flat ECS fields; ES|QL cannot parse nested arrays reliably → **`host.target.*` omitted** for `ai_analyst_alert` and `model_breach_alert`.
+- **`rule.name` / `rule.uuid` not entity targets** — behavioral model is action/detection context (Pass 3 Example 1), not the network target; do not map to `entity.target.*`.
+- **`related.ip` conflates actor and target** — breaching device and peer IPs merged at ingest; not used as target source (Pass 2 **Mapping correct?** partial).
+- **`darktrace.model_breach_alert.model.logic.target_score`** — model scoring threshold homonym; not an entity target.
+- **`related.user`** — `model.created.by` / `acknowledged.username` (`System`); admin metadata, not network actor.
+- **`threat.group.id` / `threat.enrichments.matched.id`** — incident correlation (Layer 3); omitted to avoid conflating with Pass 3 host/service targets.
+- **`event.reason` ← `title`** on AI Analyst — narrative label, not substituted for `event.action` fallback (`summariser` used instead).
+- **Pass 2 enhancement alignment** — ingest-time `host.target.*` from display filters / `details` device arrays remains preferred; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 tautology cleanup (§10)** — `host.id`, `host.ip`, `host.mac`, `host.type` omitted from actor `EVAL` (ingest-only); `host.name` uses column-level preserve + `host.hostname` fallback only; target/action columns use column-level `IS NOT NULL` preserve, not `CASE(flag, col, …, col, null)`.
+- **Pass 4 CASE syntax** — all `CASE` use odd-arity defaults (`null`) or valid **3-arg** preserve/fallback; mapped columns use column-level **5-arg** / **7-arg** / **9-arg** `CASE(<col> IS NOT NULL, <col>, <boolean>, <fallback>, null)` — never **4-arg** `CASE(actor_exists|target_exists, col, bare_field, null)` or `CASE(col IS NOT NULL, col, bare_field, null)` (bare field parses as a condition). Vendor fallbacks include `IS NOT NULL` on source fields where applicable. `actor_exists` / `target_exists` / `action_exists` are helpers only — not first `CASE` branches on mapped columns. Full pipeline fragment aligned with combined `EVAL` blocks.
diff --git a/dev/domain/p1/entityanalytics_ad.md b/dev/domain/p1/entityanalytics_ad.md
new file mode 100644
index 00000000000..b4f970563dd
--- /dev/null
+++ b/dev/domain/p1/entityanalytics_ad.md
@@ -0,0 +1,228 @@
+# entityanalytics_ad
+
+## Product Domain (Active Directory entity analytics)
+
+Microsoft Active Directory (AD) is the dominant on-premises directory service for Windows enterprise environments, storing authoritative identity and access data for users, groups, computers, and service accounts across a domain forest. AD objects are exposed via LDAP and include rich metadata: distinguished names, SIDs, GUIDs, group memberships, account control flags, password and logon timestamps, delegation settings, and organizational attributes. Security teams rely on this directory state to understand who exists in the environment, which accounts are privileged or misconfigured, and how identity posture changes over time.
+
+Entity Analytics in Elastic Security consumes identity inventory—not authentication logs—to build a living graph of users and devices for risk scoring, user behavior analytics (UBA), and context enrichment during investigations. The Active Directory Entity Analytics integration connects Elastic Agent to an AD domain controller over LDAP, periodically synchronizing user and computer account objects into Elasticsearch. Unlike event-driven log sources, this integration treats identities as assets: it performs full synchronizations on a configurable interval (default 24 hours) and ships incremental updates for changed, added, or removed objects between syncs (default every 15 minutes).
+
+Core AD concepts reflected in collected data include user and computer accounts (sAMAccountName, UPN, objectSid, objectGUID), group membership (memberOf), User Account Control (UAC) flags and derived security posture (enabled, locked, password-not-required, delegation trusted, privileged group membership), account lifecycle timestamps (whenCreated, whenChanged, pwdLastSet, lastLogon), and optional group object attributes. Ingest pipelines normalize raw LDAP attributes into ECS-aligned user, asset, and entityanalytics_ad fields, decode UAC bitmasks, and route documents to separate user and device data streams. The integration supports configurable base DN, attribute selection, SSL/TLS, paging, and an identity source label for multi-directory deployments.
+
+## Data Collected (brief)
+
+- **Entity sync** (`entityanalytics_ad.entity`): Primary collection stream from the Elastic Agent entity-analytics input; LDAP lookups against Active Directory return user and/or device objects depending on dataset selection (`users`, `devices`, or `all`). Events include full-sync markers and incremental change notifications (`event.action` such as `user-discovered`, `started`).
+- **Users** (`entityanalytics_ad.user`): Active Directory user account inventory routed from the entity stream. Includes distinguished name, sAMAccountName, UPN, mail, objectSid/GUID, group memberships, account status (enabled, locked, expired), UAC-derived flags (delegation, preauth, password policy), logon metadata, and ECS `user.*` profile and account fields.
+- **Devices** (`entityanalytics_ad.device`): Active Directory computer account inventory routed from the entity stream. Includes computer account attributes (cn, sAMAccountName, distinguishedName, memberOf, servicePrincipalName), account control and security posture flags, and ECS asset mapping (`asset.type`: `activedirectory_device`).
+- **Groups** (embedded): Group object attributes (`entityanalytics_ad.groups.*`) such as cn, distinguishedName, member, memberOf, objectSid/GUID, and group type—optionally with member lists preserved via configuration.
+- **Identity context**: `labels.identity_source` tags the originating directory; `asset.*` fields classify entities; IAM-oriented `event.category` and `event.kind: asset` support Entity Analytics workflows in Elastic Security.
+
+## Expected Audit Log Entities
+
+This integration performs **Active Directory entity inventory sync over LDAP**, not administrative or security audit logging. Elastic Agent polls domain controllers on a schedule and ships snapshots and deltas of user and computer account objects; it does **not** ingest Windows Security Event Log, Entra ID audit, or other AD change-audit streams. Every document is an identity asset record (`event.kind: asset`); **actor/target audit semantics do not apply**. Fields below describe **inventory subjects** (the AD object being synchronized), not an initiating principal or an acted-upon audit target. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated; the package does not appear in `destination_identity_hits.csv` (no `destination.user.*` / `destination.host.*`). Target-fields audit classified this package as **`none`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is partially populated.** Sync boundary markers retain agent-supplied `started` and `completed` (`sample_event.json`, `test-user.json-expected.json` events 0 and last). Inventory rows arrive from the agent with `user-discovered` or `device-discovered` (`test-user.json`, `test-device.json`, README sample) but `default.yml` **removes** `event.action` unless the value is `started` or `completed` (L9–12) — incremental sync semantics are not preserved in routed `user`/`device` output. This is inventory sync action vocabulary, not AD security audit verbs (create/modify/delete attribution).
+
+Evidence: `packages/entityanalytics_ad/data_stream/entity/sample_event.json`, `_dev/test/pipeline/test-user.json-expected.json`, `_dev/test/pipeline/test-device.json-expected.json`, ingest pipelines `default.yml`, `user.yml`, `device.yml`, `entity.yml`, `marker.yml`, and `data_stream/*/fields/fields.yml`.
+
+### Event action (semantic)
+
+Entity Analytics AD records **sync lifecycle and discovery markers**, not per-object AD change audit. Actions describe whether a full sync started/completed or an object was discovered during incremental polling — not who modified an AD object or what security operation occurred.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `started` | administration | high | `sample_event.json`; `test-user.json-expected.json` event 0; input `test-user.json` event 0 | Full-sync boundary marker; `marker.yml` sets `event.kind: asset`, `event.category: [iam]`, `event.type: [info]`; no inventory payload |
+| `completed` | administration | high | `test-user.json-expected.json` last event; input `test-user.json` last event | Full-sync boundary marker; same pipeline as `started` |
+| `user-discovered` | administration | high | Input `test-user.json` events 1–3; README sample user document | Agent-emitted incremental/discovery marker for user objects; **stripped** from pipeline output (`default.yml` L9–12) |
+| `device-discovered` | administration | high | Input `test-device.json` event 0 | Agent-emitted discovery marker for computer accounts; **stripped** from pipeline output |
+
+Inventory asset rows (`entityanalytics_ad.user`, `entityanalytics_ad.device`) have **no per-event action** in fixtures after ingest — only static `event.kind: asset` and `event.type: [user, info]` or `[info]` set by `user.yml`/`device.yml`. There is no meaningful security audit verb (e.g. `user-created`, `password-changed`) in this integration.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| Agent `event.action` → retained | partial | yes (for markers) | `started`, `completed` | no | Pass-through on sync markers; `sample_event.json`, `test-user.json-expected.json` |
+| Agent `event.action` → removed | no (stripped) | n/a | `user-discovered`, `device-discovered` | yes | `default.yml` L9–12 `remove` when action ≠ `started`/`completed`; input in `test-user.json`/`test-device.json`, absent in expected output |
+| `event.type` | no | n/a | — | no | Static `['user','info']` (user) or `['info']` (device/marker) — asset classification, not operation verb |
+| `event.category` | no | n/a | — | no | Static `['iam']` on all streams — category, not action |
+| `event.kind` | no | n/a | — | no | Always `asset` — document kind, not action |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `entityanalytics_ad.entity` | yes (markers only) | partial (pass-through + strip) | Agent `event.action` (`started`/`completed` retained; `user-discovered`/`device-discovered` removed) | high | `default.yml` L9–12; `sample_event.json`: `started`; unrouted objects have no action |
+| `entityanalytics_ad.user` | no (stripped) | removes non-marker actions | Agent `event.action`: `user-discovered` (input only) | high | `test-user.json` input vs `test-user.json-expected.json` — inventory rows lack `event.action` |
+| `entityanalytics_ad.device` | no (stripped) | removes non-marker actions | Agent `event.action`: `device-discovered` (input only) | high | `test-device.json` input vs `test-device.json-expected.json` — no `event.action` in output |
+
+### Actor (semantic)
+
+No audit actor exists on any stream. LDAP synchronization is performed by Elastic Agent using configured bind credentials; the collector identity is not recorded on events. Sync boundary markers (`event.action`: `started`, `completed`) carry only `labels.identity_source` and `asset.category: entity` — no operator. Inventory rows populate `user.*` or `host.*`/`device.*` for the **described AD object**, not the party that triggered ingestion.
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| — | — | — | high | No ECS `user.*`, `client.user.*`, `source.*`, or vendor principal fields on any fixture or pipeline step | **All streams** — actor/target audit classification does not apply |
+
+**Note:** For AD directory-change audit (who created/modified/deleted objects, logon events, Kerberos tickets), use Windows event log or dedicated AD audit integrations — not this package.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| — | — | no | n/a | high | No actor identity fields in pipelines or fixtures |
+
+`user.*` on user/device records identifies the **inventory subject**, not an audit actor — do not interpret as caller/principal.
+
+### Target (semantic)
+
+Inventory subjects only — not audit targets. Each document describes one AD object at sync time; there is no separate actor and no layered "acted-upon" semantics.
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 2 — Resource / object | AD user account (inventory subject) | User account | user | — | high | ECS `user.*`, `asset.*` (`asset.type: activedirectory_user`); vendor `entityanalytics_ad.user.*`; fixture: `Administrator` / SID `S-1-5-21-372676048-1189045421-4047760665-500` | **`entityanalytics_ad.user`** — routed when `user.id` present (`routing_rules.yml`) |
+| 2 — Resource / object | AD computer account (inventory subject) | Computer / endpoint | host | — | high | ECS `host.*`, `device.id`, `asset.*` (`asset.type: activedirectory_device`); vendor `entityanalytics_ad.device.*`; fixture: `test12009.org.test.local` / SID `S-1-5-21-1133191089-1850170202-1535859923-274531` | **`entityanalytics_ad.device`** — routed when `device.id` present |
+| 2 — Resource / object | Unrouted LDAP directory object | Generic AD entity | general | directory-object | moderate | `entityanalytics_ad.entity.*`, `asset.type: activedirectory_entity` (`entity.yml`); used when `user.id` and `device.id` both absent | **`entityanalytics_ad.entity`** — fallback pipeline |
+| 2 — Resource / object | Embedded group membership | AD security/distribution group | general | ad-group | high | `entityanalytics_ad.groups[]` with `distinguished_name`, `object_sid`, `name`, optional `member`; rolled into `user.group.*` via painless script (`user.yml`/`device.yml` L201–251) | **user/device** — enrichment when group lookup enabled; related identity context, not audit target |
+| — | Sync boundary marker | Full-sync start/complete | — | — | high | `event.action`: `started`/`completed`; `marker.yml`; no entity payload | **`entityanalytics_ad.entity`** — `sample_event.json`, `test-user.json-expected.json` event 0 |
+
+Layer 1 (platform service) and Layer 3 (content/artifact) do not apply — no invoked API or per-action payload; this is periodic LDAP inventory, not an auditable operation.
+
+### Target (ECS candidates)
+
+Fields below are **inventory subject identity**, not ECS audit-target mappings. Enhancement to `*.target.*` does not apply.
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `user.id` | 2 | user | yes | yes (inventory subject) | n/a | no | `copy_from: activedirectory.user.object_sid` (`user.yml` L144–146); SID in fixtures |
+| `user.name` | 2 | user | yes | yes (inventory subject) | n/a | no | `copy_from: activedirectory.user.sam_account_name` (L119–122); `Administrator`, `Guest` |
+| `user.email` | 2 | user | yes | yes (inventory subject) | n/a | no | `copy_from: activedirectory.user.mail` (L123–127); `admin@testserver.local` |
+| `user.domain` | 2 | user | yes | yes (inventory subject) | n/a | no | gsub on `distinguished_name` (L128–140); `testserver.local` |
+| `user.group.id` / `user.group.name` | 2 | general | yes | yes (membership context) | n/a | no | painless group script (L201–251); privileged-group SID check sets `privileged_group_member` |
+| `user.account.password_change_date` | 2 | user | yes | yes (inventory attribute) | n/a | no | `date` from `pwd_last_set` (L101–113) |
+| `asset.id` / `asset.name` / `asset.type` / `asset.create_date` / `asset.last_updated` | 2 | user / host | yes | yes (inventory subject) | n/a | no | `asset.id` ← `object_sid`; lifecycle dates from `when_created`/`when_changed` |
+| `host.name` / `host.hostname` / `host.domain` / `host.os.*` | 2 | host | yes | yes (inventory subject) | n/a | no | `device.yml` L240–264; `test12009.org.test.local`, `Windows 11 Enterprise` |
+| `device.id` | 2 | host | yes | yes (inventory subject) | n/a | no | `copy_from: activedirectory.device.object_sid` (L126–128) |
+| `related.user` | 2 | user | yes | yes (enrichment bag) | n/a | no | appends sAMAccountName, DN, GUID, mail, UPN (`user.yml` L258–287) |
+| `related.hosts` | 2 | host | yes | yes (enrichment bag) | n/a | no | appends `host.name`, DN, GUID (`device.yml` L266–289) |
+| `labels.identity_source` | — | general | yes | yes (deployment scope) | n/a | no | tags originating directory instance; not an actor or target |
+| `entityanalytics_ad.user.*` | 2 | user | yes (vendor) | n/a | n/a | no | UPN, UAC flags, `member_of`, `privileged_group_member`, logon timestamps, delegation flags |
+| `entityanalytics_ad.device.*` | 2 | host | yes (vendor) | n/a | n/a | no | `dns_host_name`, `service_principal_name`, `operating_system`, `member_of`, UAC-derived flags |
+| `entityanalytics_ad.groups[]` | 2 | general | yes (vendor) | n/a | n/a | no | nested group objects with `object_sid`, `distinguished_name`, optional `member` |
+| `entityanalytics_ad.entity.*` | 2 | general | yes (vendor) | n/a | n/a | no | unrouted LDAP attributes (`entity.yml`) |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | n/a | no | Not present in pipelines; package absent from `destination_identity_hits.csv` |
+
+### Gaps and mapping notes
+
+- **Inventory sync, not audit:** All three data streams (`entity`, `user`, `device`) ship LDAP inventory snapshots/deltas. Actor/target audit enhancement does not apply; use complementary Windows Security / AD audit integrations for change attribution.
+- **No ECS `*.target.*` today:** Aligns with `target_enhancement_packages.csv` (`priority=none`, all signal flags false). `user.*` and `host.*` describe the synced object, not an audit acted-upon entity.
+- **`event.action` stripped for inventory rows:** Agent emits `user-discovered` and `device-discovered` on incremental sync events (`test-user.json`, `test-device.json`, README) but `default.yml` removes `event.action` unless `started`/`completed`. Only full-sync boundary markers retain action in Elasticsearch output. **Enhancement candidate:** preserve agent discovery actions on routed `user`/`device` documents if incremental sync semantics are needed downstream.
+- **`event.action` is sync vocabulary, not AD audit:** Even when preserved (`started`/`completed`), actions describe Entity Analytics sync lifecycle — not AD object create/modify/delete or security events.
+- **`user.*` is inventory subject, not actor:** Pipeline maps AD user account attributes to ECS `user.*` (e.g. `Administrator` in fixtures). Semantically correct for Entity Analytics asset records; must not be interpreted as the LDAP sync operator.
+- **Computer accounts use both `host.*` and `user.name`:** `device.yml` sets `user.name` from `sam_account_name` (e.g. `TEST12009$`) alongside `host.*` — computer account naming convention, not a human actor.
+- **No `destination.*` de-facto targets:** Unlike email/auth integrations, no pipeline maps identity to `destination.user.*` or `destination.host.*`.
+- **Embedded groups are membership context:** `entityanalytics_ad.groups[]` enriches user/device records with group metadata and drives `user.group.*` / `privileged_group_member`; not separate audit targets.
+- **Sync markers carry no entity:** `started`/`completed` events (`marker.yml`, `default.yml` L9–12) mark full-sync boundaries only; no inventory subject payload beyond `labels.identity_source`.
+
+### Per-stream notes
+
+#### `entityanalytics_ad.entity`
+
+Primary collection stream from the Elastic Agent entity-analytics input. `default.yml` routes LDAP payloads to `user.yml`, `device.yml`, or `entity.yml` based on `user.id` / `device.id`; unrouted objects and sync markers stay on this dataset. Sync markers (`sample_event.json`: `event.action: started`) have no actor or inventory subject — only `labels.identity_source` and `asset.category: entity`. **Action semantics:** only `started`/`completed` survive ingest; discovery actions on routed payloads are stripped before routing.
+
+#### `entityanalytics_ad.user`
+
+Routed user account inventory (`routing_rules.yml`: `ctx.user?.id != null`). Maps AD user attributes to ECS `user.*` and `asset.*` with rich vendor detail under `entityanalytics_ad.user.*`. Optional group enrichment populates `entityanalytics_ad.groups[]` and ECS `user.group.*`. Example fixture: built-in `Administrator` with Domain/Enterprise/Schema Admins membership and `privileged_group_member: true`. **Action semantics:** agent sends `user-discovered` on input; pipeline removes `event.action` — output has no per-object sync action.
+
+#### `entityanalytics_ad.device`
+
+Routed computer account inventory (`routing_rules.yml`: `ctx.device?.id != null`). Maps computer attributes to ECS `host.*`, `device.id`, and `asset.*` (`asset.type: activedirectory_device`). Vendor fields retain SPNs, OS version, UAC flags, and group memberships. Example fixture: `TEST12009` Windows 11 endpoint with GPOD group memberships. **Action semantics:** agent sends `device-discovered` on input; pipeline removes `event.action` — output has no per-object sync action.
+
+## Example Event Graph
+
+This integration performs **Active Directory entity inventory sync over LDAP**, not security audit logging. Documents are identity **asset records** (`event.kind: asset`) from scheduled Entity Analytics polling — not discrete auditable operations with an initiating principal and an acted-upon target. **No per-event Actor → action → Target graph applies** to routed inventory rows on `entityanalytics_ad.user` or `entityanalytics_ad.device` (fixtures: `test-user.json-expected.json` events 1–3, `test-device.json-expected.json` event 0). Each row describes a single AD object at sync time (`user.*` / `host.*` as inventory subject); the LDAP sync operator (Elastic Agent bind identity) is not recorded on events.
+
+The only events with `event.action` preserved in pipeline output are full-sync **boundary markers** on `entityanalytics_ad.entity` (`started`, `completed`). These mark sync lifecycle boundaries and carry `labels.identity_source` plus `asset.category: entity`, but no actor identity and no inventory subject payload — they are administration markers, not Actor → action → Target audit chains.
+
+Agent input may include `user-discovered` / `device-discovered` on incremental sync events (`test-user.json`, `test-device.json`), but `default.yml` strips `event.action` unless the value is `started` or `completed`, so discovery semantics do not appear in routed `user`/`device` output.
+
+**Inventory subject (not an audit graph):** fixture `test-user.json-expected.json` event 1 describes AD user `Administrator` (`user.id`: `S-1-5-21-372676048-1189045421-4047760665-500`, `user.name`: `Administrator`, `user.email`: `admin@testserver.local`) as a synchronized asset — there is no separate actor or target layer. For AD change attribution (who created/modified/deleted objects), use Windows Security Event Log or dedicated AD audit integrations.
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed (Tier A).** Three log data streams from `manifest.yml` route on **`data_stream.dataset`**: `entityanalytics_ad.entity` (collection + sync markers), `entityanalytics_ad.user` (routed user inventory), `entityanalytics_ad.device` (routed computer inventory). Fixtures: `sample_event.json`, `test-user.json-expected.json`, `test-device.json-expected.json`. Cross-package queries use unscoped `FROM logs-*` (no `WHERE data_stream.dataset` filter); embed `data_stream.dataset == "entityanalytics_ad.user"` (etc.) in every CASE fallback branch when EVAL is added. This integration performs **LDAP entity inventory sync**, not AD security audit logging. Documents are identity **asset records** (`event.kind: asset`); Pass 3 confirms **no per-event Actor → action → Target graph** on routed inventory rows. ECS `user.*` / `host.*` describe the **inventory subject**, not an audit principal or acted-upon target. Package does not use `destination.*` identity fields (`destination_identity_hits.csv` absence). **No preserve-first `EVAL` blocks are produced** — document all streams under **Streams excluded** rather than promoting inventory fields to `user.target.*` / `host.target.*` or treating `user.id` as an audit actor. **Pass 4 tautology cleanup (§10):** ingest-populated `user.id`, `user.name`, `user.email`, `user.domain`, `host.name`, and `device.id` have no alternate query-time source (LDAP attributes renamed at ingest under `activedirectory.*` / `entityanalytics_ad.*` only) — omit from actor/target/action `EVAL`; do not emit `CASE(actor_exists, col, …, col, null)`, `CASE(<col> IS NOT NULL, <col>, <col>)`, `CASE(action_exists, event.action, …, event.action, null)`, or `CASE(target_exists, user.target.id, user.id, null)` / `host.target.name` ← `host.name` — misclassifies synced AD objects as audit targets.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `entityanalytics_ad.entity` | collection + sync markers | — | — | none |
+| `entityanalytics_ad.user` | user inventory | — | — | none |
+| `entityanalytics_ad.device` | computer inventory | — | — | none |
+
+### Field mapping plan
+
+No actor or target destination columns are populated. Inventory sync semantics (Pass 2/3); the LDAP sync operator (Elastic Agent bind identity) is not indexed. Query-time `CASE` on `user.id`, `user.name`, `host.name`, or `device.id` would conflate directory asset records with audit actor/target identity. Columns below are **ingest-only — omit from ES|QL** (no alternate indexed source for audit extraction; fallback would repeat the same column per §10).
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit actor on any stream |
+| `user.id` | `activedirectory.user.object_sid` → `user.id` | `data_stream.dataset == "entityanalytics_ad.user"` | high | **ingest-only — no ES\|QL** — `user.yml` L144–146; fixture SID `S-1-5-21-372676048-1189045421-4047760665-500`; inventory subject, not LDAP operator; omit — `CASE(actor_exists, user.id, …, user.id, null)` is identity no-op |
+| `user.name` | `activedirectory.user.sam_account_name` → `user.name` | `data_stream.dataset == "entityanalytics_ad.user"` | high | **ingest-only — no ES\|QL** — `user.yml` L119–122; omit — `CASE(user.name IS NOT NULL, user.name, user.name)` or 4-arg `CASE(actor_exists, user.name, user.name, null)` (3rd arg is a **condition**, not fallback) |
+| `user.email` | `activedirectory.user.mail` → `user.email` | `data_stream.dataset == "entityanalytics_ad.user"` | high | **ingest-only — no ES\|QL** — `user.yml` L123–127; omit — no flat query-time vendor path distinct from output |
+| `user.domain` | gsub on `distinguished_name` → `user.domain` | `data_stream.dataset == "entityanalytics_ad.user"` | high | **ingest-only — no ES\|QL** — `user.yml` L128–140; omit — `CASE(actor_exists, user.domain, user.domain, null)` |
+| `host.name` / `host.hostname` | `device.yml` L240–264 | `data_stream.dataset == "entityanalytics_ad.device"` | high | **ingest-only — no ES\|QL** — computer inventory subject (e.g. `test12009.org.test.local`); not collection scope; omit from actor `EVAL` |
+| `device.id` | `activedirectory.device.object_sid` → `device.id` | `data_stream.dataset == "entityanalytics_ad.device"` | high | **ingest-only — no ES\|QL** — `device.yml` L126–128; omit — `CASE(actor_exists, device.id, device.id, null)` |
+| `user.name` (device stream) | `sam_account_name` → `user.name` | `data_stream.dataset == "entityanalytics_ad.device"` | high | **ingest-only — no ES\|QL** — `device.yml` sets `user.name` for computer SAM (e.g. `TEST12009$`); not human audit actor; omit — do not wire as `user.name` fallback on user stream |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit target; `user.*` / `host.*` are inventory subject only |
+| `user.target.id` | — | `data_stream.dataset IN ("entityanalytics_ad.user", "entityanalytics_ad.device")` | high | **omit** — `user.id` is inventory subject; `CASE(target_exists, user.target.id, user.id, null)` mislabels synced account as audit target |
+| `host.target.name` | — | `data_stream.dataset == "entityanalytics_ad.device"` | high | **omit** — `host.name` is synced computer identity; `CASE(target_exists, host.target.name, host.name, null)` duplicates subject |
+| `user.target.*` / `host.target.*` / `service.target.*` | — | all datasets | high | **omit** — no ECS `*.target.*` at ingest; promotion from inventory columns violates Pass 2/3 |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | agent `event.action` (markers) | `data_stream.dataset == "entityanalytics_ad.entity"` | high | **ingest-only on markers — no ES\|QL** — `default.yml` L9–12 pass-through `started`/`completed` only (`sample_event.json`); omit — `CASE(action_exists, event.action, event.action, null)` or agent-field fallback after strip is identity no-op on inventory rows |
+| — | — | — | — | Sync vocabulary only; not AD audit verbs; `user-discovered` / `device-discovered` removed before routed output (`test-user.json`, `test-device.json`) |
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs. **4** args → two pairs (3rd arg is a **boolean condition**, not a fallback) — e.g. `CASE(user.name IS NOT NULL, user.name, user.name, null)` parses as “else if `user.name` is truthy, return `null`”, not “else null”. **5** args with dataset routing still tautologizes when fallback repeats the output column — e.g. `CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "entityanalytics_ad.user", user.id, null)`. For inventory-only integrations, omit `EVAL` entirely rather than wrapping ingest-populated columns.
+
+### Detection flags (mandatory — run first)
+
+Not applicable — all streams excluded (entity inventory sync; no defensible preserve-first fallback without misclassifying asset fields). Do not emit detection flags solely to wrap tautological `CASE` on ingest-populated `user.*`, `host.*`, or marker `event.action`.
+
+### Combined ES|QL — actor fields
+
+Not applicable — all streams excluded (inventory sync). Do not emit `CASE(actor_exists, user.id, user.id, null)`, `CASE(actor_exists, user.name, user.name, null)`, `CASE(actor_exists, host.name, host.name, null)`, `CASE(actor_exists, device.id, device.id, null)`, or `CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "entityanalytics_ad.user", user.id, null)` — ingest-only with no alternate source (`user.yml`, `device.yml`).
+
+### Combined ES|QL — event action
+
+Not applicable — all streams excluded. Marker `event.action` (`started`/`completed`) is ingest pass-through only (`default.yml` L9–12). Do not emit `CASE(action_exists, event.action, event.action, null)` or `CASE(action_exists, event.action, data_stream.dataset == "entityanalytics_ad.entity", event.action, null)` — no query-time agent action on routed `user`/`device` rows after strip; do not substitute sync vocabulary for AD audit verbs.
+
+### Combined ES|QL — target fields
+
+Not applicable — all streams excluded (inventory sync). Do not emit `CASE(target_exists, user.target.id, user.id, null)`, `CASE(target_exists, host.target.name, host.name, null)`, `CASE(target_exists, user.target.name, user.name, null)` (device-stream `user.name` is computer SAM), or promote `entityanalytics_ad.user.*` / `entityanalytics_ad.device.*` to `*.target.*`.
+
+### Streams excluded
+
+- **`entityanalytics_ad.entity`** — primary Elastic Agent entity-analytics collection stream; `default.yml` routes LDAP payloads to user/device pipelines. Sync boundary markers retain `event.action`: `started`/`completed` (`sample_event.json`, `test-user.json-expected.json` event 0) but carry no actor identity and no inventory subject payload — only `labels.identity_source` and `asset.category: entity`.
+- **`entityanalytics_ad.user`** — AD user account inventory routed when `user.id` is present (`routing_rules.yml`); ECS `user.*` / `asset.*` (e.g. `Administrator`, SID `S-1-5-21-372676048-1189045421-4047760665-500` in fixtures) is the synced object, not an audit actor or target. Agent input may include `user-discovered`; pipeline removes it before output.
+- **`entityanalytics_ad.device`** — AD computer account inventory routed when `device.id` is present; ECS `host.*`, `device.id`, and `asset.*` describe the synced endpoint (e.g. `TEST12009$` / `test12009.org.test.local`). `device.yml` also sets `user.name` from SAM account — computer naming convention, not a human audit actor. Agent `device-discovered` is stripped on output.
+
+### Gaps and limitations
+
+- **Inventory sync, not audit:** For AD change attribution (who created/modified/deleted objects, logon events), use Windows Security Event Log or dedicated AD audit integrations — not this package.
+- **Target-fields audit `none`:** Package absent from `destination_identity_hits.csv`; no ECS `*.target.*` or `destination.*` in pipelines. Wiring inventory `user.id` / `host.name` into `user.target.*` or actor columns at query time would violate Pass 2/3 semantics.
+- **`user.*` must not be wired as actor:** `user.yml` maps AD user attributes to ECS `user.*` for Entity Analytics asset records — correct for inventory, incorrect for cross-integration audit principal extraction.
+- **`event.action` stripped on inventory rows:** Agent emits `user-discovered` / `device-discovered` (`test-user.json`, `test-device.json`) but `default.yml` removes `event.action` unless `started` or `completed` — incremental discovery semantics do not appear in routed `user`/`device` output.
+- **Sync markers are not audit events:** Even retained `started`/`completed` actions mark full-sync boundaries only — no actor, no layered target.
+- **Embedded groups are membership context:** `entityanalytics_ad.groups[]` enriches user/device records; not separate audit targets for ES|QL extraction.
+- **Enhancement path:** Preserve agent discovery actions on routed documents or ingest AD audit streams before query-time actor/target normalization is meaningful.
+- **Pass 4 tautology cleanup (§10):** `user.id`, `user.name`, `user.email`, `user.domain`, `host.name`, and `device.id` omitted from all `EVAL` blocks — ingest-only with no distinct query-time fallback; `entityanalytics_ad.*` vendor paths stay enrichment context only (do not wire as actor/target fallbacks). No **4-arg** `CASE(col, col, null)` — third argument is a condition, not default.
diff --git a/dev/domain/p1/entityanalytics_okta.md b/dev/domain/p1/entityanalytics_okta.md
new file mode 100644
index 00000000000..481e4e6680b
--- /dev/null
+++ b/dev/domain/p1/entityanalytics_okta.md
@@ -0,0 +1,248 @@
+# entityanalytics_okta
+
+## Product Domain (Okta entity analytics)
+
+Okta is a cloud identity and access management (IAM) platform that serves as the authoritative directory for workforce and customer identities in many enterprises. Okta stores user accounts, group memberships, role assignments, and registered devices, exposing them through the Okta Management API (Core API v1). Security teams use this identity inventory to understand who exists in the environment, which accounts are privileged, how devices are enrolled, and how identity posture changes over time.
+
+Entity Analytics in Elastic Security consumes identity inventory—not authentication or system logs—to build a living graph of users and devices for risk scoring, user behavior analytics (UBA), and context enrichment during investigations. The Okta Entity Analytics integration connects Elastic Agent to an Okta tenant via the REST API, periodically synchronizing user and device objects into Elasticsearch. Unlike event-driven log sources, this integration treats identities as assets: it performs full synchronizations on a configurable interval (default 24 hours) and ships incremental updates for changed, added, or removed objects between syncs (default every 15 minutes).
+
+Core Okta concepts reflected in collected data include user lifecycle and profile attributes (login, email, name, department, manager, status), optional group membership and role enrichment, credential provider metadata, and registered devices (platform, serial number, disk encryption, secure hardware, status, associated users). Authentication to Okta supports API tokens, OAuth2 (service app with JWK/PEM), or the Okta Integration Network (OIN) Elastic app. Ingest pipelines normalize raw Okta API responses into ECS-aligned user, device, and asset fields and route documents to separate user and device data streams.
+
+## Data Collected (brief)
+
+- **Entity sync** (`entityanalytics_okta.entity`): Primary collection stream from the Elastic Agent entity-analytics input; polls Okta Management API endpoints (`/api/v1/users`, `/api/v1/devices`) for user and/or device objects depending on dataset selection (`users`, `devices`, or `all`). Events include full-sync write markers and incremental change notifications (`event.action` such as `user-discovered`, `device-discovered`, `started`).
+- **Users** (`entityanalytics_okta.user`): Okta user account inventory routed from the entity stream. Includes user ID, status, lifecycle timestamps (created, activated, last login, password changed), profile attributes (login, email, name, title, department, manager, address, phone), credential provider, optional group memberships (`entityanalytics_okta.groups.*`), optional role assignments (`entityanalytics_okta.roles.*`), and ECS `user.*` profile and account fields.
+- **Devices** (`entityanalytics_okta.device`): Okta registered device inventory routed from the entity stream. Includes device ID, status, platform, display name, serial number, disk encryption, secure hardware, registration state, associated users, and ECS `device.*` / `asset.*` mapping.
+- **Identity context**: `labels.identity_source` tags the originating Okta tenant; `event.kind: asset` and IAM-oriented categorization support Entity Analytics workflows in Elastic Security.
+
+## Expected Audit Log Entities
+
+This integration performs **Okta entity inventory sync over the Management API**, not Okta System Log or other administrative audit streams. Elastic Agent polls `/api/v1/users` and `/api/v1/devices` on a schedule and ships snapshots and deltas of user and device objects; it does **not** ingest authentication events, admin actions, or lifecycle change audit records. Every document is an identity asset record (`event.kind: asset`); **actor/target audit semantics do not apply**. Fields below describe **inventory subjects** (the Okta object being synchronized), not an initiating principal or an acted-upon audit target. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated; the package does not appear in `destination_identity_hits.csv` (no `destination.user.*` / `destination.host.*`). Target-fields audit classified this package as **`none`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is partially populated.** Sync boundary markers retain agent-supplied `started` and `completed` (`sample_event.json`: `started`; pipeline allows both values). Inventory rows arrive from the agent with incremental sync markers (`user-discovered`, `user-modified`, `device-discovered`, `device-modified` per README and pipeline test inputs) but `default.yml`, `user.yml`, and `device.yml` **remove** `event.action` unless the value is `started` or `completed` (L9–12 / L17–20) — incremental sync semantics are not preserved in routed `user`/`device` output. This is inventory sync action vocabulary, not Okta System Log audit verbs (login, admin policy change, MFA enrollment).
+
+Evidence: `packages/entityanalytics_okta/data_stream/entity/sample_event.json`, `_dev/test/pipeline/test-user.json-expected.json`, `_dev/test/pipeline/test-device.json-expected.json`, ingest pipelines `default.yml`, `user.yml`, `device.yml`, `routing_rules.yml`, and `data_stream/*/fields/fields.yml`.
+
+### Event action (semantic)
+
+Entity Analytics Okta records **sync lifecycle and change markers**, not per-object Okta System Log audit. Actions describe whether a full sync started/completed or an object was discovered/modified during incremental polling — not who changed an Okta user, device, group, or app, or what security operation occurred.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `started` | administration | high | `sample_event.json`; README full-sync write marker | Full-sync boundary marker; `event.kind: asset`; no inventory payload; `host.name` = Okta tenant domain |
+| `completed` | administration | high | Pipeline allows pass-through (`default.yml` L9–12); README describes bounded full sync | Full-sync boundary marker; same pipeline logic as `started`; not present in pipeline test fixtures |
+| `user-discovered` | administration | high | README sample user document | Agent-emitted incremental/discovery marker for user objects; **stripped** from pipeline output |
+| `user-modified` | administration | high | Input `test-user.json` events 1–2 (`event.action: user-modified`) | Agent-emitted change marker for updated user metadata; **stripped** from pipeline output |
+| `device-discovered` | administration | high | README sample device document | Agent-emitted discovery marker for registered devices; **stripped** from pipeline output |
+| `device-modified` | administration | high | Input `test-device.json` event 0 (`event.action: device-modified`) | Agent-emitted change marker for updated device metadata; **stripped** from pipeline output |
+
+Inventory asset rows (`entityanalytics_okta.user`, `entityanalytics_okta.device`) have **no per-event action** in fixtures after ingest — only static `event.kind: asset` and `event.type` / `event.category` set by `user.yml`/`device.yml`. There is no meaningful security audit verb (e.g. `user.login`, `policy.updated`, `application.assigned`) in this integration.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| Agent `event.action` → retained | partial | yes (for markers) | `started`, `completed` | no | Pass-through on sync markers; `sample_event.json`: `started`; `default.yml` L9–12 |
+| Agent `event.action` → removed | no (stripped) | n/a | `user-discovered`, `user-modified`, `device-discovered`, `device-modified` | yes | `default.yml` / `user.yml` / `device.yml` `remove` when action ≠ `started`/`completed`; input in `test-user.json`/`test-device.json`, absent in expected output |
+| `event.type` | no | n/a | — | no | Static `['user','info']` (user) or `['info']` (device) — asset classification, not operation verb |
+| `event.category` | no | n/a | — | no | Static `['iam']` (user) or `['host']` (device) — category, not action |
+| `event.kind` | no | n/a | — | no | Always `asset` — document kind, not action |
+| `entityanalytics_okta.user.status` / `entityanalytics_okta.device.status` | no | n/a | — | no | Okta lifecycle status (`ACTIVE`, etc.) — object state, not sync action |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `entityanalytics_okta.entity` | yes (markers only) | partial (pass-through + strip) | Agent `event.action` (`started`/`completed` retained; discovery/change actions removed before routing) | high | `default.yml` L9–12; `sample_event.json`: `started`; routed objects have no action |
+| `entityanalytics_okta.user` | no (stripped) | removes non-marker actions | Agent `event.action`: `user-discovered`, `user-modified` (input only) | high | `test-user.json` input vs `test-user.json-expected.json` — inventory rows lack `event.action` |
+| `entityanalytics_okta.device` | no (stripped) | removes non-marker actions | Agent `event.action`: `device-discovered`, `device-modified` (input only) | high | `test-device.json` input vs `test-device.json-expected.json` — no `event.action` in output |
+
+### Actor (semantic)
+
+No audit actor exists on any stream. Management API synchronization is performed by Elastic Agent using configured API token, OAuth2, or OIN credentials; the collector identity is not recorded on events. Sync boundary markers (`event.action`: `started`, `completed`) carry only `labels.identity_source` and `host.name` (Okta tenant domain) — no operator. Incremental change actions from the agent (`user-discovered`, `user-modified`, `device-discovered`, `device-modified`) are **removed** by pipeline unless `started`/`completed` (`user.yml`/`device.yml`/`default.yml` L9–12 / L17–20). Inventory rows populate `user.*` or `device.*`/`asset.*` for the **described Okta object**, not the party that triggered ingestion.
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| — | — | — | high | No ECS `user.*`, `client.user.*`, `source.*`, or vendor principal fields on any fixture or pipeline step | **All streams** — actor/target audit classification does not apply |
+
+**Note:** For Okta directory-change and authentication audit (who signed in, who modified users/groups/apps, MFA events), use the Okta System Log integration — not this package.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| — | — | no | n/a | high | No actor identity fields in pipelines or fixtures |
+
+`user.*` on user/device records identifies the **inventory subject**, not an audit actor — do not interpret as caller/principal. `host.name` holds the Okta tenant domain (`okta_domain` → `host.name`, `default.yml` L26–28), not an endpoint actor.
+
+### Target (semantic)
+
+Inventory subjects only — not audit targets. Each document describes one Okta object at sync time; there is no separate actor and no layered "acted-upon" semantics.
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 2 — Resource / object | Okta user account (inventory subject) | User account | user | — | high | ECS `user.*`, `asset.*` (`asset.type: okta_user`); vendor `entityanalytics_okta.user.*`; fixture: `isaac.brock@example.com` / Okta ID `00ub0oNGTSWTBKOLGLNR` | **`entityanalytics_okta.user`** — routed when `user.id` present (`routing_rules.yml`) |
+| 2 — Resource / object | Okta registered device (inventory subject) | Registered endpoint | host | — | high | ECS `device.id`, `device.serial_number`, `os.platform`, `asset.*` (`asset.type: okta_device`); vendor `entityanalytics_okta.device.*`; fixture: `guo4a5u7YAHhjXrMK0g4` / `Example Device name 1` | **`entityanalytics_okta.device`** — routed when `device.id` present |
+| 2 — Resource / object | Embedded group membership | Okta group | general | okta-group | high | `entityanalytics_okta.groups[]` with `id`, `profile.name`; rolled into `user.group.id` / `user.group.name` (`user.yml` L228–243) | **user** — enrichment when group lookup enabled; related identity context, not audit target |
+| 2 — Resource / object | Embedded role assignment | Okta admin/app role | general | okta-role | high | `entityanalytics_okta.roles[]` with `id`, `label`, `type`, `assignment_type`; rolled into `user.roles` (`user.yml` L244–297); fixture: `Application administrator`, `ORG_ADMIN` | **user** — enrichment when role lookup enabled; privilege context, not audit target |
+| 2 — Resource / object | Device-associated users | Linked Okta user | user | — | high | `okta.users[]` → `related.user` appends (`device.yml` L133–176); fixture: `00ub0oNGTSWTBKOLGLNR`, `isaac.brock@example.com` | **device** — associated-user context on device records |
+| — | Sync boundary marker | Full-sync start/complete | — | — | high | `event.action`: `started`/`completed`; no entity payload | **`entityanalytics_okta.entity`** — `sample_event.json` |
+
+Layer 1 (platform service) and Layer 3 (content/artifact) do not apply — no invoked API operation or per-action payload; this is periodic Management API inventory, not an auditable operation.
+
+### Target (ECS candidates)
+
+Fields below are **inventory subject identity**, not ECS audit-target mappings. Enhancement to `*.target.*` does not apply.
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `user.id` | 2 | user | yes | partial (inventory subject) | n/a | no | Agent sets `user.id` for routing; pipeline does not copy `okta.id` → `user.id`. Fixture: `user.id: 00u5tvodynDjUCNKn697` vs `entityanalytics_okta.user.id` / `asset.id: 00ub0oNGTSWTBKOLGLNR` |
+| `user.name` | 2 | user | yes | yes (inventory subject) | n/a | no | `copy_from: entityanalytics_okta.user.profile.login` (`user.yml` L314–317); `isaac.brock@example.com` |
+| `user.email` | 2 | user | yes | yes (inventory subject) | n/a | no | `copy_from: entityanalytics_okta.user.profile.email` (L324–327) |
+| `user.full_name` | 2 | user | yes | yes (inventory subject) | n/a | no | `copy_from: entityanalytics_okta.user.profile.display_name` (L430–433); `Isaac Brock` |
+| `user.group.id` / `user.group.name` | 2 | general | yes | yes (membership context) | n/a | no | foreach on `entityanalytics_okta.groups` (L228–243); `Everyone` / `OGYzMDMwYjFmODBiNjli` |
+| `user.roles` | 2 | general | yes | yes (privilege context) | n/a | no | foreach on `entityanalytics_okta.roles` (L249–264); role IDs and labels |
+| `user.account.*` / `user.profile.*` / `user.organization.*` / `user.geo.*` | 2 | user | yes | yes (inventory attributes) | n/a | no | lifecycle dates, status flags, department, manager, address from `okta.profile.*` |
+| `asset.id` / `asset.name` / `asset.type` / `asset.status` / `asset.create_date` / `asset.last_updated` / `asset.last_seen` / `asset.vendor` | 2 | user / host | yes | yes (inventory subject) | n/a | no | `asset.id` ← `entityanalytics_okta.user.id` or `entityanalytics_okta.device.id`; `asset.vendor` ← credential provider name |
+| `device.id` / `device.serial_number` | 2 | host | yes | yes (inventory subject) | n/a | no | Agent sets `device.id` for routing; `device.serial_number` ← `okta.profile.serialNumber` (`device.yml` L193–196) |
+| `os.platform` | 2 | host | yes | yes (inventory attribute) | n/a | no | lowercase from `okta.profile.platform` (L177–180); `windows` |
+| `host.name` | — | general | yes | yes (tenant scope) | n/a | no | Okta tenant domain (`trial-xxxxxxx-admin.okta.com`); deployment scope, not inventory subject |
+| `related.user` | 2 | user | yes | yes (enrichment bag) | n/a | no | appends Okta user ID, login, email, names, employee number (`user.yml` L51–56, L308–641); device associated users (`device.yml` L133–176) |
+| `labels.identity_source` | — | general | yes | yes (deployment scope) | n/a | no | tags originating Okta tenant instance; not an actor or target |
+| `entityanalytics_okta.user.*` | 2 | user | yes (vendor) | n/a | n/a | no | profile, credentials, lifecycle timestamps, `_links`, `_embedded` |
+| `entityanalytics_okta.device.*` | 2 | host | yes (vendor) | n/a | n/a | no | disk encryption, secure hardware, registration state, `_links`, associated users |
+| `entityanalytics_okta.groups[]` | 2 | general | yes (vendor) | n/a | n/a | no | nested group objects with `id`, `profile.name`, `profile.description` |
+| `entityanalytics_okta.roles[]` | 2 | general | yes (vendor) | n/a | n/a | no | role assignments with `id`, `label`, `type`, `assignment_type`, `status` |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | n/a | no | Not present in pipelines; package absent from `destination_identity_hits.csv` |
+
+### Gaps and mapping notes
+
+- **Inventory sync, not audit:** All three data streams (`entity`, `user`, `device`) ship Management API inventory snapshots/deltas. Actor/target audit enhancement does not apply; use the Okta System Log integration for change attribution and authentication audit.
+- **No ECS `*.target.*` today:** Aligns with `target_enhancement_packages.csv` (`priority=none`, all signal flags false). `user.*` and `device.*` describe the synced object, not an audit acted-upon entity.
+- **`event.action` stripped for inventory rows:** Agent emits `user-discovered`, `user-modified`, `device-discovered`, and `device-modified` on incremental sync events (`test-user.json`, `test-device.json`, README) but `default.yml`/`user.yml`/`device.yml` remove `event.action` unless `started`/`completed`. Only full-sync boundary markers retain action in Elasticsearch output. **Enhancement candidate:** preserve agent discovery/change actions on routed `user`/`device` documents if incremental sync semantics are needed downstream.
+- **`event.action` is sync vocabulary, not Okta audit:** Even when preserved (`started`/`completed`), actions describe Entity Analytics sync lifecycle — not Okta System Log events (login, admin policy change, MFA enrollment, app assignment).
+- **`user.*` is inventory subject, not actor:** Pipeline maps Okta user account attributes to ECS `user.*` (e.g. `isaac.brock@example.com` in fixtures). Semantically correct for Entity Analytics asset records; must not be interpreted as the API sync operator.
+- **`user.id` vs `asset.id` divergence:** Pipeline sets `asset.id` from `okta.id` (`entityanalytics_okta.user.id`) but does not overwrite agent-supplied `user.id` used for routing. Canonical Okta user ID is `entityanalytics_okta.user.id` / `asset.id`; `user.id` may differ in edge cases.
+- **No `destination.*` de-facto targets:** Unlike email/auth integrations, no pipeline maps identity to `destination.user.*` or `destination.host.*`.
+- **Embedded groups and roles are membership/privilege context:** `entityanalytics_okta.groups[]` and `entityanalytics_okta.roles[]` enrich user records and drive ECS `user.group.*` / `user.roles`; not separate audit targets.
+- **Sync markers carry no entity:** `started`/`completed` events (`sample_event.json`) mark full-sync boundaries only; `host.name` identifies tenant, not an endpoint inventory subject.
+
+### Per-stream notes
+
+#### `entityanalytics_okta.entity`
+
+Primary collection stream from the Elastic Agent entity-analytics input. `default.yml` routes API payloads to `user.yml` or `device.yml` based on `user.id` / `device.id` presence; routed documents land on `entityanalytics_okta.user` or `entityanalytics_okta.device` per `routing_rules.yml`. Sync markers (`sample_event.json`: `event.action: started`) have no actor or inventory subject — only `labels.identity_source` and `host.name`. **Action semantics:** only `started`/`completed` survive ingest; discovery/change actions on routed payloads are stripped before routing.
+
+#### `entityanalytics_okta.user`
+
+Routed user account inventory (`routing_rules.yml`: `ctx.user?.id != null`). Maps Okta user attributes to ECS `user.*` and `asset.*` (`asset.type: okta_user`) with rich vendor detail under `entityanalytics_okta.user.*`. Optional group enrichment populates `entityanalytics_okta.groups[]` and ECS `user.group.*`; optional role enrichment populates `entityanalytics_okta.roles[]` and `user.roles`. Example fixture: `Isaac Brock` with `Everyone` group membership and admin role assignments. **Action semantics:** agent sends `user-discovered` or `user-modified` on input; pipeline removes `event.action` — output has no per-object sync action.
+
+#### `entityanalytics_okta.device`
+
+Routed registered device inventory (`routing_rules.yml`: `ctx.device?.id != null`). Maps device attributes to ECS `device.*`, `os.platform`, and `asset.*` (`asset.type: okta_device`). Vendor fields retain disk encryption, secure hardware, registration state, and API links. Associated Okta users populate `related.user`. Example fixture: Windows device `guo4a5u7YAHhjXrMK0g4` with serial `XXDDRFCFRGF3M8MD6D` linked to user `isaac.brock@example.com`. **Action semantics:** agent sends `device-discovered` or `device-modified` on input; pipeline removes `event.action` — output has no per-object sync action.
+
+## Example Event Graph
+
+Examples are drawn from `entityanalytics_okta.entity` (collection stream), `entityanalytics_okta.user`, and `entityanalytics_okta.device` (routed inventory). These streams poll the Okta Management API for user and device objects — they are **identity asset snapshots and sync deltas**, not Okta System Log audit events.
+
+**No per-event Actor → action → Target graph applies.** Elastic Agent performs scheduled API synchronization; the collector/API credential identity is not recorded on events. Fields such as `user.*` and `device.*` describe the **inventory subject** (the Okta object being synchronized), not an audit actor or an acted-upon target. Routed user and device fixtures have no `event.action` after ingest (`test-user.json-expected.json`, `test-device.json-expected.json`). For authentication, admin, and lifecycle change audit (who signed in, who modified a user or app), use the Okta System Log integration.
+
+### Note: sync boundary markers (action only)
+
+The only Elasticsearch output fixture retaining `event.action` is a full-sync start marker on the entity stream — it carries sync lifecycle semantics but no actor entity and no inventory subject payload, so it does not form a complete Actor → action → Target chain.
+
+**Stream:** `entityanalytics_okta.entity` · **Fixture:** `packages/entityanalytics_okta/data_stream/entity/sample_event.json`
+
+```
+(no actor) → started → (no target)
+```
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | started |
+| source_field | `event.action` |
+| source_value | `started` |
+
+**Field sources:** `action` ← `event.action` (`started`); tenant scope only via `host.name` ← Okta domain (`trial-xxxxxxx-admin.okta.com`); `event.kind: asset`; no `user.*` or `device.*` inventory payload on this document.
+
+Agent input for incremental sync may include `user-discovered`, `user-modified`, `device-discovered`, or `device-modified` (`test-user.json`, `test-device.json`), but `default.yml` / `user.yml` / `device.yml` strip those values from routed output — inventory rows ship as static asset records without a per-object sync action in Elasticsearch.
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed (Tier A).** Three log data streams from `manifest.yml` route on **`data_stream.dataset`**: `entityanalytics_okta.entity` (collection + sync markers), `entityanalytics_okta.user` (routed user inventory), `entityanalytics_okta.device` (routed device inventory). Fixtures: `sample_event.json`, `test-user.json-expected.json`, `test-device.json-expected.json`. Cross-package queries use unscoped `FROM logs-*` (no `WHERE data_stream.dataset` filter); embed `data_stream.dataset == "entityanalytics_okta.user"` (etc.) in every CASE fallback branch when EVAL is added. This integration performs **Okta Management API entity inventory sync**, not Okta System Log audit. Documents are identity **asset records** (`event.kind: asset`); Pass 3 confirms **no per-event Actor → action → Target graph** on routed inventory rows. ECS `user.*` / `device.*` / `asset.*` describe the **inventory subject**, not an audit principal or acted-upon target. **No `EVAL` / `CASE` blocks are produced** — all three datasets under **Streams excluded**; do not promote inventory `user.*` / `device.*` into audit actor/target columns or `user.target.*` / `host.target.*`. **Pass 4 (CASE syntax + tautology):** ingest populates identity columns from Okta API payloads (`user.yml` / `device.yml` / `default.yml`) with no alternate query-time vendor path — omit columns from ES|QL rather than **4-arg** `CASE(actor_exists|target_exists|action_exists, col, bare_field, null)` (bare field parses as a **condition**, not a fallback) or **4-arg** `CASE(flag, col, col, null)` (identity no-op). Even valid **3-arg** `CASE(user.name IS NOT NULL, user.name, user.full_name)` is omitted: both fields describe the inventory subject (`test-user.json-expected.json`), not audit principal rename, and `actor_exists` true from `user.email` must not gate `user.name` via flag-based preserve.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `entityanalytics_okta.entity` | collection + sync markers | — | — | none |
+| `entityanalytics_okta.user` | user inventory | — | — | none |
+| `entityanalytics_okta.device` | device inventory | — | — | none |
+
+### Field mapping plan
+
+No actor or target destination columns are populated. Inventory sync semantics (Pass 2/3); the Elastic Agent API/OAuth collector identity is not indexed. Query-time `CASE` on `user.id`, `user.name`, `user.email`, `user.full_name`, or `device.id` would conflate Okta directory asset records with audit actor/target identity. Columns below are **ingest-only — omit from ES|QL** (no alternate indexed source for audit extraction).
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit actor on any stream |
+| `user.id` | — | — | high | **ingest-only** — agent sets for routing; pipeline does not copy `okta.id` → `user.id`; canonical Okta ID is `entityanalytics_okta.user.id` / `asset.id` (`user.yml` L41–49); inventory subject, not API operator; **omit from ES\|QL** |
+| `user.name` | — | `data_stream.dataset == "entityanalytics_okta.user"` | high | **ingest-only — omit from ES\|QL** — `copy_from: entityanalytics_okta.user.profile.login` (`user.yml` L314–317); forbidden **4-arg** `CASE(actor_exists, user.name, user.full_name, null)` (3rd arg is condition); valid **3-arg** `CASE(user.name IS NOT NULL, user.name, user.full_name)` still omitted (inventory subject, not audit principal) |
+| `user.email` | — | — | high | **ingest-only** — `copy_from: entityanalytics_okta.user.profile.email` (`user.yml` L324–327); **omit from ES\|QL** |
+| `user.full_name` | — | — | high | **ingest-only** — `copy_from: entityanalytics_okta.user.profile.display_name` (`user.yml` L430–433); no `user.name` rename at ingest; **omit from ES\|QL** |
+| `host.name` | — | — | high | **ingest-only** — `okta_domain` → `host.name` (`default.yml` L26–28); Okta tenant deployment scope, not inventory subject; **omit from ES\|QL** |
+| `device.id` | — | — | high | **ingest-only** — agent sets for routing; `asset.id` ← `entityanalytics_okta.device.id` (`device.yml` L41–49); **omit from ES\|QL** |
+| `device.serial_number` | — | — | high | **ingest-only** — `okta.profile.serialNumber` → `device.serial_number` (`device.yml` L192–196); **omit from ES\|QL** |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit target; `user.*` / `device.*` are inventory subject only |
+| `user.target.*` / `host.target.*` | — | — | high | **omit** — wiring `user.id` → `user.target.id` or `device.id` → `host.target.id` (or same column in `CASE(target_exists, col, col, null)`) duplicates inventory subject; violates Pass 2/3 |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | — | `data_stream.dataset == "entityanalytics_okta.entity"` | high | **ingest-only on markers — omit from ES\|QL** — pass-through `started`/`completed` only (`default.yml` / `user.yml` / `device.yml` L9–12 / L17–20, `sample_event.json`); no fallback when stripped on inventory rows; forbidden **4-arg** `CASE(action_exists, event.action, event.action, null)` (tautology) |
+| — | — | — | — | Sync vocabulary only; not Okta System Log audit verbs; `user-discovered` / `user-modified` / `device-discovered` / `device-modified` removed before routed output |
+
+### Detection flags (mandatory — run first)
+
+Not applicable — all streams excluded (entity inventory sync; no defensible actor/target/action fallback without misclassifying asset fields). Do not emit detection flags solely to wrap tautological `CASE` on ingest-populated columns.
+
+### Combined ES|QL — actor fields
+
+Not applicable — all streams excluded (inventory sync). Do not emit `CASE(actor_exists, user.id, user.id, null)` or map inventory `user.*` / `device.*` as audit actor — ingest-only with no alternate source (`user.yml`, `device.yml`).
+
+### Combined ES|QL — event action
+
+Not applicable — all streams excluded. Preserved `event.action` on sync markers (`started`/`completed`) is ingest pass-through only; no indexed agent action field at query time for inventory rows after pipeline strip.
+
+### Combined ES|QL — target fields
+
+Not applicable — all streams excluded (inventory sync). Do not emit `CASE(target_exists, user.id, user.id, null)` or promote inventory `user.id` / `device.id` to `user.target.*` / `host.target.*`.
+
+### Streams excluded
+
+- **`entityanalytics_okta.entity`** — primary Elastic Agent entity-analytics collection stream; `default.yml` routes API payloads to `user.yml` / `device.yml` per `routing_rules.yml`. Sync boundary markers retain `event.action`: `started`/`completed` (`sample_event.json`: `started`) but carry no actor identity and no inventory subject payload — only `labels.identity_source`, `host.name` (Okta tenant domain, e.g. `trial-xxxxxxx-admin.okta.com`), and `event.kind: asset`.
+- **`entityanalytics_okta.user`** — Okta user account inventory routed when `user.id` is present (`routing_rules.yml`); ECS `user.*` / `asset.*` (`asset.type: okta_user`; fixture `isaac.brock@example.com` / Okta ID `00ub0oNGTSWTBKOLGLNR` via `entityanalytics_okta.user.id` / `asset.id`) is the synced object, not an audit actor or target. Agent input may include `user-discovered` / `user-modified`; pipeline removes them before output (`test-user.json` vs `test-user.json-expected.json`).
+- **`entityanalytics_okta.device`** — Okta registered device inventory routed when `device.id` is present; ECS `device.id`, `device.serial_number`, `os.platform`, and `asset.*` (`asset.type: okta_device`; fixture `guo4a5u7YAHhjXrMK0g4` / `Example Device name 1`) describe the synced endpoint, not audit semantics. Associated users populate `related.user` only. Agent `device-discovered` / `device-modified` is stripped on output (`test-device.json` vs `test-device.json-expected.json`).
+
+### Gaps and limitations
+
+- **Inventory sync, not audit:** For Okta System Log authentication and admin audit (who signed in, who modified users/groups/apps, MFA events), use the Okta System Log integration — not this package.
+- **Target-fields audit `none`:** Package absent from `destination_identity_hits.csv`; no ECS `*.target.*` or `destination.*` in pipelines. Wiring inventory `user.id` / `device.id` into `user.target.*` or actor columns at query time would violate Pass 2/3 semantics.
+- **`user.*` must not be wired as actor:** `user.yml` maps Okta profile attributes to ECS `user.*` for Entity Analytics asset records — correct for inventory, incorrect for cross-integration audit principal extraction.
+- **`user.id` vs `asset.id`:** Pipeline sets `asset.id` from `entityanalytics_okta.user.id` but does not overwrite agent-supplied `user.id` used for routing; do not use divergent IDs as actor fallback without ingest alignment.
+- **`event.action` stripped on inventory rows:** Agent emits `user-discovered`, `user-modified`, `device-discovered`, and `device-modified` (`test-user.json`, `test-device.json`, README) but pipelines remove `event.action` unless `started` or `completed` — incremental discovery semantics do not appear in routed `user`/`device` output.
+- **Sync markers are not audit events:** Even retained `started`/`completed` actions mark full-sync boundaries only — Pass 3 graph `(no actor) → started → (no target)`; no layered target.
+- **Embedded groups and roles are membership/privilege context:** `entityanalytics_okta.groups[]` / `entityanalytics_okta.roles[]` enrich user records (`user.group.*`, `user.roles`); not separate audit targets for ES|QL extraction.
+- **Enhancement path:** Preserve agent discovery/change actions on routed documents or ingest Okta System Log before query-time actor/target normalization is meaningful.
+- **No tautological CASE (Pass 4 #10):** `user.id`, `user.name`, `user.email`, `user.full_name`, `host.name`, `device.id`, and `device.serial_number` are ingest-only inventory columns; there is no query-time vendor fallback. Emitting **4-arg** `CASE(actor_exists|target_exists, col, col, null)` or mapping inventory `user.id` / `device.id` to `user.target.*` / `host.target.*` would be an identity no-op or misclassify the synced Okta object.
+- **Pass 4 CASE syntax:** No fenced `esql` blocks — entity inventory sync, all streams excluded per `esql-entity-mapping.md` linux example. Anti-patterns above document forbidden **4-arg** flag-based preserve and bare-field-as-condition forms only; no `target.user.*` / `target.entity.type`; no detection-flag wrapper `EVAL` solely to host tautological `CASE`. Package kibana assets contain no `EVAL`/`CASE`.
diff --git a/dev/domain/p1/extrahop.md b/dev/domain/p1/extrahop.md
new file mode 100644
index 00000000000..f1e940b3c3a
--- /dev/null
+++ b/dev/domain/p1/extrahop.md
@@ -0,0 +1,340 @@
+# extrahop
+
+## Product Domain
+
+ExtraHop is a network detection and response (NDR) platform that delivers agentless, wire-data visibility through its RevealX product line. RevealX sensors and appliances passively analyze live network traffic at line rate—reconstructing protocols, baselining device and application behavior, and applying machine-learning and rule-based analytics to surface threats that evade endpoint and log-centric controls. The cloud-hosted **RevealX 360** console centralizes detection management, investigation workflows, and REST API access for downstream SIEM integration.
+
+Unlike signature-only IDS platforms, ExtraHop correlates behavioral anomalies across east-west and north-south traffic—covering lateral movement, command-and-control, data exfiltration, ransomware precursors, and protocol abuse—using risk scoring, MITRE ATT&CK mappings, and contextual participant metadata (devices, IPs, hostnames, roles). Analysts triage detections, assign ownership, link tickets, and group related activity into **investigations** with assessments, notes, and lifecycle status tracking within RevealX.
+
+The Elastic integration polls the [RevealX 360 REST API](https://docs.extrahop.com/current/rx360-rest-api/) via Elastic Agent (CEL input) or Agentless, authenticating with OAuth client credentials. It targets RevealX 360 v25.2+ and installs Kibana dashboards plus latest transforms to deduplicate polled detection and investigation records for SOC triage and case-management workflows.
+
+## Data Collected (brief)
+
+The integration collects RevealX 360 alert and case data over the **RevealX 360 REST API** (Client ID / Client Secret) into two log data streams:
+
+| Data stream | Description |
+|---|---|
+| **detection** | Network detections identified by ExtraHop—title, type, categories, description, risk score, status, resolution, assignee, MITRE tactics/techniques, participants (offender/victim devices, IPs, hostnames, roles), recommended factors, ticket linkage, and deep links back to RevealX |
+| **investigation** | Investigation cases grouping related detections—name, description, status, assessment, assignee, investigation types, linked detection IDs, notes, creation/update/interaction timestamps, and lifecycle fields (start/end time, created_by) |
+
+Events map to ECS (`event`, `threat`, `user`, `device`, `related`, `observer`) with ExtraHop-specific fields under `extrahop.detection.*` and `extrahop.investigation.*`. Detection events carry `event.category: threat` with MITRE and risk metadata; investigation events represent analyst case records rather than raw wire telemetry. Latest transforms maintain deduplicated destination indices; investigation source data uses a 30-day ILM policy due to polling overlap. Bundled Kibana dashboards cover detection triage (type, category, status, resolution, assignee) and investigation trends (status, assessment, assignee workload).
+
+## Expected Audit Log Entities
+
+Neither stream is a true identity or platform audit log. **`detection`** (`extrahop.detection`) exports wire-derived NDR threat indicators with offender/victim participant metadata — audit-adjacent security telemetry, not admin/API action records. **`investigation`** (`extrahop.investigation`) exports analyst case-management records (status, assessment, notes, linked detection IDs) — workflow metadata with no network endpoints. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated; no `destination.user.*` / `destination.host.*` in pipelines (`destination_identity_hits.csv` has no extrahop row). The target-fields audit classifies extrahop as **`moderate_candidate_network_dest`** with `pipeline_dest_network=true` (`destination.port` only), `pipeline_actor=false`, and no tier-A ECS target mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is absent on both streams.** Pipelines set `event.type` (`indicator` on detection, `info` on investigation) and `event.category` (`threat` on detection only) but never map vendor operation or detection-type fields to `event.action`. Primary action candidates are `extrahop.detection.type` (wire threat rule code) and, secondarily, case/detection workflow fields (`status`, `resolution`, `assessment`).
+
+Evidence: `packages/extrahop/data_stream/*/sample_event.json`, `*/_dev/test/pipeline/*-expected.json`, `*/elasticsearch/ingest_pipeline/default.yml`, `*/fields/fields.yml`.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `icmp_tunnel` | detection | high | `extrahop.detection.type: icmp_tunnel`; title `ICMP Tunnel` in `sample_event.json` and `test-pipeline-detection.log-expected.json` | **`detection`** — protocol-tunneling behavior identified on the wire |
+| `hacking_tools` | detection | high | `extrahop.detection.type: hacking_tools`; `properties.hacking_tool_name: Kali Linux` in pipeline test | **`detection`** — adversary tool usage on the network |
+| `expiring_cert_individual` | detection | high | `extrahop.detection.type: expiring_cert_individual`; title `Expiring SSL/TLS Server Certificate` in pipeline test | **`detection`** — certificate hygiene / hardening finding |
+| `open` / `closed` | administration | moderate | `extrahop.investigation.status: closed` (BloodHound fixture), `open` (investigation id 4) in `test-investigation.log-expected.json` | **`investigation`** — case lifecycle state from polled snapshot, not a discrete audit verb |
+| `action_taken` / `no_action_taken` | administration | moderate | `extrahop.detection.resolution: action_taken` (`sample_event.json`), `no_action_taken` (expiring-cert fixture) | **`detection`** — analyst triage outcome on the detection record, not the underlying wire activity |
+| *(no per-event verb)* | — | high | No `event.action` in any fixture; investigation has no vendor field naming a performed operation | **`investigation`** — polled case record; `event.type: info` describes document kind, not an action |
+
+Wire-derived detections name the **observed threat behavior** via `type` (rule code), not a portal/API operation. Investigation events are periodic case-state exports — `status` and `assessment` are the closest workflow labels but describe record state rather than a single auditable action.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `json.type` → `extrahop.detection.type` | no | n/a | `icmp_tunnel`, `hacking_tools`, `expiring_cert_individual` | yes | `detection/default.yml` rename L449–453; fixture values in `sample_event.json`, `test-pipeline-detection.log-expected.json` |
+| `extrahop.detection.title` | no (vendor-only) | n/a | `ICMP Tunnel`, `Expiring SSL/TLS Server Certificate` | partial | Human-readable label; promoted to `message` L444–448 — alternate display form of `type`, not a separate verb |
+| `extrahop.detection.status` | no (vendor-only) | n/a | `open` | partial | Rename L423–427; triage workflow state, not wire activity |
+| `extrahop.detection.resolution` | no (vendor-only) | n/a | `action_taken`, `no_action_taken` | partial | Rename L387–391; analyst disposition on detection |
+| `extrahop.investigation.status` | no (vendor-only) | n/a | `closed`, `open` | partial | Vendor-only in `investigation/default.yml`; `test-investigation.log-expected.json` |
+| `extrahop.investigation.assessment` | no (vendor-only) | n/a | `benign_true_positive`, `false_positive` | partial | Case assessment label — complements `status`, not a substitute for action |
+| `event.type` / `event.category` | n/a (downstream) | partial | `indicator` + `threat` (detection); `info` (investigation) | no | Pipeline append/set L47–54 (detection), L39–42 (investigation); document taxonomy, not `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `detection` | no | no | `extrahop.detection.type` (`icmp_tunnel`, `hacking_tools`, `expiring_cert_individual`) | high | No pipeline `event.action` grep hit; `detection/default.yml` renames `json.type` only |
+| `investigation` | no | no | omit or `extrahop.investigation.status` (`open`/`closed`) | low | No pipeline `event.action`; state snapshot — `status`/`assessment` are workflow labels |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Offending network participant | host | — | high | `participants[].role: offender` → `extrahop.detection.participants.*` (`object_type`, `object_value`, `hostname`, `object_id`); IPs/hostnames also in `related.ip` / `related.hosts` | **`detection`** — ICMP tunnel offender `175.16.199.0` / `09i2TY0xVtw7DPECOJQte01i7IK8B9FV.rx.tours`; hacking-tools offender `67.43.156.0` (`test-pipeline-detection.log-expected.json`) |
+| Participant account context | user | — | moderate | `participants[].username` → `related.user` only (e.g. `administrator@ATTACK.LOCAL` on expiring-cert detection); not copied to ECS `user.*` | **`detection`** — account tied to offending device, not portal login actor |
+| Assigned analyst (detection triage) | user | — | high | `assignee` → ECS `user.name` + `related.user` (`detection/default.yml`); `sam.joe` in `sample_event.json`, `john.doe` in pipeline test | **`detection`** — SOC assignee, not wire threat actor |
+| RevealX sensor / appliance | general | device | moderate | Observing NDR appliance → `device.id` ← `appliance_id`; vendor duplicate `extrahop.detection.appliance_id` when preserved | **`detection`** — collection/observer context (`device.id: "6"` in `sample_event.json`) |
+| Investigation creator | user | — | high | `created_by` dissected to `user.name` / `user.domain` when `user@domain` format | **`investigation`** — `integration@example.com` → `user.name: integration`, `user.domain: example.com` (`test-investigation.log-expected.json`) |
+| Investigation assignee / last actor | user | — | moderate | `assignee`, `last_interaction_by` → `related.user` only; not mapped to ECS `user.*` | **`investigation`** — `user1`, `john.doe`, `tom.latham` in pipeline tests |
+| API / service principal creator | user | service_account | moderate | Non-email `created_by` (e.g. `rest_api_id_1njj2`) stays vendor-only + `related.user`; dissect skipped, ECS `user.*` empty | **`investigation`** — REST API identity in fixture id `54` |
+
+**No wire threat actor on investigation stream.** Investigation events carry `event.type: info` with no `event.category: threat` and no participant or IP fields. **`source.port`** / **`destination.port`** on detection events are connection tuple context (client/server ports), not actor identity — and there is no `source.ip` / `destination.ip` mapping.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `extrahop.detection.participants[]` (role=offender) | Wire threat source host/IP | no (vendor-only) | n/a | high | Full participant tree retained; offender `object_value`/`hostname` in fixtures |
+| `extrahop.detection.participants[].username` | Account on participant device | no (vendor-only) | n/a | high | `administrator@ATTACK.LOCAL` on expiring-cert offender; only `related.user` overlap |
+| `user.name` | Detection assignee; investigation creator | yes (stream-dependent) | partial | high | Detection: `assignee` copy — SOC triage user, not threat actor; Investigation: `created_by` dissect — correct for case creator |
+| `user.domain` | Investigation creator domain | yes | yes | high | `created_by` dissect pattern `%{user.name}@%{user.domain}` (`investigation/default.yml`) |
+| `related.user` | Assignees, creators, participant usernames | yes | partial | high | Detection append assignee + participant username; investigation append assignee, created_by, last_interaction_by — mixes SOC actors and participant accounts |
+| `related.ip` / `related.hosts` | All participant IPs/hostnames (offender + victim) | yes | partial | high | Foreach on `participants[].object_value` / `hostname` — no role distinction |
+| `device.id` | RevealX appliance / sensor | yes | yes (observer) | high | `json.appliance_id` → `extrahop.detection.appliance_id` → `device.id` |
+| `source.port` | Client-side connection port | yes | yes (network context) | high | `properties.client_port` copy (e.g. `63855` hacking-tools fixture); no paired `source.ip` |
+| `destination.port` | Server-side connection port | yes | yes (network context) | high | `properties.server_port` copy (e.g. `443` hacking-tools fixture); no paired `destination.ip` |
+| `extrahop.investigation.created_by` | Case creator (incl. API principals) | no (vendor-only) | n/a | high | `rest_api_id_1njj2` when email dissect fails |
+| `extrahop.investigation.assignee` / `last_interaction_by` | Case workflow actors | no (vendor-only) | n/a | high | Only `related.user` promotion |
+| `extrahop.detection.is_user_created` | User-created detection flag | no (vendor-only) | n/a | low | Boolean only; no creator username on detection events |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | NDR platform producing the detection | ExtraHop RevealX / RevealX 360 | service | — | medium | SaaS console URLs in `event.url` / `extrahop.*.url`; no `cloud.service.name` mapping | **`detection`**, **`investigation`** — platform context only, not mapped to ECS service fields |
+| 2 — Resource / object | Network endpoint or device acted upon | Offender/victim devices, IPs, hostnames | host | — | high | `participants[].role: victim` (and offender as threat source) → `extrahop.detection.participants.*`; `related.ip` / `related.hosts` | **`detection`** — victim `81.2.69.142` (ICMP tunnel); external victims `www.kali.org`, `cdimage.kali.org`, `kali.download` (hacking-tools) |
+| 2 — Resource / object | Linked detection under investigation | Detection record by ID | general | detection | high | `extrahop.investigation.detections[]` (e.g. `25769803958` in `sample_event.json`) | **`investigation`** — join **detection** stream for participant detail |
+| 2 — Resource / object | Investigation case record | SOC case / incident | general | incident | high | `message` / `extrahop.investigation.name`, `status`, `assessment`, `description`, `notes` | **`investigation`** — BloodHound enumeration case in `sample_event.json` |
+| 3 — Content / artifact | Detection indicator instance | RevealX detection rule hit | general | detection_rule | high | `message` / `extrahop.detection.title`, `extrahop.detection.type`, `event.risk_score`, `threat.indicator.*`, MITRE `threat.tactic.*` / `threat.technique.*` | **`detection`** — `icmp_tunnel`, `hacking_tools`, `expiring_cert_individual` in fixtures |
+| 3 — Content / artifact | Certificate / tool / ticket context | TLS cert, hacking tool name, ITSM ticket | general | certificate, software, incident | moderate | `extrahop.detection.properties.certificate`, `hacking_tool_name`, `ticket_id` / `ticket_url` | **`detection`** — cert on expiring-cert fixture; `Kali Linux` on hacking-tools; `ticket_id: "2996"` in `sample_event.json` |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `extrahop.detection.participants[]` (role=victim) | 2 | host | no (vendor-only) | n/a | `host.target.*` | yes | Victim device/IP/hostname with `object_id`, `external`, `endpoint`; canonical acted-upon endpoint |
+| `extrahop.detection.participants[]` (role=offender) | 2 | host | no (vendor-only) | n/a | `host.target.*` or context-only | yes | Offender is threat source — may map to `source.*` or `host.target.*` depending on detection semantics |
+| `extrahop.detection.participants[].username` | 2 | user | no (vendor-only) | n/a | `user.target.name` | yes | Account on participant device; only `related.user` today |
+| `related.ip` / `related.hosts` | 2 | host | yes | partial | `host.target.*` | yes | Aggregates offender + victim without role split |
+| `destination.port` | 2 | service | yes | partial | context-only | no | `properties.server_port` → port only (e.g. `443`); no `destination.ip` — network tuple context, not de-facto target identity |
+| `source.port` | 2 | service | yes | partial | context-only | no | `properties.client_port` — initiator port without IP |
+| `message` / `extrahop.detection.title` / `type` | 3 | general | yes | yes | context-only | no | Detection title and type code |
+| `event.risk_score` / `threat.indicator.description` | 3 | general | yes | yes | context-only | no | Risk and indicator narrative |
+| `threat.tactic.*` / `threat.technique.*` | 3 | general | yes | yes | context-only | no | MITRE mappings from `mitre_tactics` / `mitre_techniques` |
+| `extrahop.detection.properties.certificate` | 3 | general | no (vendor-only) | n/a | context-only | no | Cert fingerprint string; not mapped to `tls.*` |
+| `extrahop.detection.properties.hacking_tool_name` | 3 | general | no (vendor-only) | n/a | context-only | no | `Kali Linux` in hacking-tools fixture |
+| `extrahop.detection.ticket_id` / `ticket_url` | 3 | general | no (vendor-only) | n/a | context-only | no | External ITSM linkage |
+| `event.url` | 3 | general | yes | yes (console link) | context-only | no | RevealX console deep link — analyst navigation, not network peer |
+| `extrahop.investigation.detections[]` | 2 | general | no (vendor-only) | n/a | `entity.target.id` | yes | Linked detection IDs; participant detail requires cross-stream join |
+| `extrahop.investigation.name` / `status` / `assessment` | 2 | general | no (vendor-only) | n/a | context-only | no | Case record fields; `message` promoted from `name` |
+
+### Gaps and mapping notes
+
+- **`event.action` absent on both streams** — richest verb-like field is vendor-only `extrahop.detection.type` (rule/threat code). Enhancement: copy to `event.action` on detection; investigation is state sync — mapping `status` is optional and low value.
+- **No ECS `*.target.*` today** — richest target identity is vendor-only `extrahop.detection.participants[]` with `role` (offender/victim). Enhancement: promote victim (and optionally offender) participants to `host.target.*` / `user.target.*` by `object_type` and `role`; split `related.ip` / `related.hosts` by role instead of aggregating all participants.
+- **`user.name` on detection is SOC assignee, not threat actor** — pipeline copies `assignee` to ECS `user.*` (`set_user_name_from_detection_assignee`); wire threat identity stays in `extrahop.detection.participants[]` only.
+- **`related.user` mixes roles** — detection assignee, participant usernames, and investigation workflow users share one array with no actor/target distinction.
+- **No `source.ip` / `destination.ip`** — participant `object_value` IPs land in `related.ip` only; ports mapped to `source.port` / `destination.port` without paired addresses. `destination.port` is network tuple context, not a de-facto target host field (`pipeline_dest_network=true` in target-fields audit).
+- **Investigation stream has no network targets** — threat actor/target detail requires joining linked detection IDs from `extrahop.investigation.detections[]` to the **detection** stream.
+- **Investigation creator mapping is email-only** — non-email `created_by` values (`rest_api_id_1njj2`) skip dissect; ECS `user.*` empty while identity remains in vendor field and `related.user`.
+- **No `destination.user.*` / `destination.host.*`** — extrahop not in `destination_identity_hits.csv`.
+- **Target-fields audit alignment** — `moderate_candidate_network_dest`: `pipeline_dest_network=true` (port-only), no tier-A ECS target fields, no pipeline actor identity mapping (`pipeline_actor=false`).
+
+### Per-stream notes
+
+#### `detection`
+
+NDR threat indicator (`event.category: threat`, `event.type: indicator`). **`event.action` not mapped** — primary candidate `extrahop.detection.type` (e.g. `icmp_tunnel`, `hacking_tools`). Wire actors/targets: `participants[]` with `role: offender` (threat source) and `role: victim` (acted-upon endpoint). SOC assignee → ECS `user.name`. Observer appliance → `device.id`. Partial connection context: `source.port` / `destination.port` when `properties.client_port` / `server_port` present. MITRE and risk on `threat.*` / `event.risk_score`.
+
+#### `investigation`
+
+Analyst case record (`event.type: info`). **No meaningful per-event action** — polled `status`/`assessment` are workflow state. Actor: email-format `created_by` → ECS `user.*`; assignee and `last_interaction_by` in `related.user` only. Target Layer 2: the case itself plus linked detection IDs in `extrahop.investigation.detections[]` — no participant or IP fields on the event. Cross-stream correlation required for network entity detail.
+
+## Example Event Graph
+
+Examples below come from the **detection** stream only. Detection events are wire-derived NDR threat indicators — not true identity or platform audit logs. The **investigation** stream exports polled analyst case-management snapshots; it has no meaningful per-event Actor → action → Target chain (see note below).
+
+### Example 1: ICMP tunnel (C2 protocol abuse)
+
+**Stream:** `extrahop.detection` · **Fixture:** `packages/extrahop/data_stream/detection/sample_event.json`
+
+```
+Offending external host (175.16.199.0) → icmp_tunnel → Internal victim device (81.2.69.142)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 25769803780 |
+| name | 09i2TY0xVtw7DPECOJQte01i7IK8B9FV.rx.tours |
+| type | host |
+| ip | 175.16.199.0 |
+
+**Field sources:**
+- `id ← extrahop.detection.participants[].object_id` (role=offender)
+- `name ← extrahop.detection.participants[].hostname`
+- `type ← extrahop.detection.participants[].object_type` (`ipaddr` → host)
+- `ip ← extrahop.detection.participants[].object_value`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | icmp_tunnel |
+| source_field | `extrahop.detection.type` |
+| source_value | icmp_tunnel |
+
+**Not mapped to ECS `event.action` today** — derived from vendor detection rule code.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 25769803807 |
+| type | host |
+| ip | 81.2.69.142 |
+
+**Field sources:**
+- `id ← extrahop.detection.participants[].object_id` (role=victim)
+- `type ← extrahop.detection.participants[].object_type` (`device` → host)
+- `ip ← extrahop.detection.participants[].object_value`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 175.16.199.0"] --> E["icmp_tunnel"]
+  E --> T["Target: 81.2.69.142"]
+```
+
+### Example 2: Hacking tool domain access
+
+**Stream:** `extrahop.detection` · **Fixture:** `packages/extrahop/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json`
+
+```
+Internal client device (67.43.156.0) → hacking_tools → External hacking-tool host (www.kali.org)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 17179869303 |
+| type | host |
+| ip | 67.43.156.0 |
+
+**Field sources:**
+- `id ← extrahop.detection.participants[].object_id` (role=offender, endpoint=client)
+- `type ← extrahop.detection.participants[].object_type` (`device` → host)
+- `ip ← extrahop.detection.participants[].object_value`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | hacking_tools |
+| source_field | `extrahop.detection.type` |
+| source_value | hacking_tools |
+
+**Not mapped to ECS `event.action` today** — derived from vendor detection rule code (`extrahop.detection.properties.hacking_tool_name: Kali Linux` provides additional context).
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 17179869185 |
+| name | www.kali.org |
+| type | host |
+| ip | 89.160.20.112 |
+
+**Field sources:**
+- `id ← extrahop.detection.participants[].object_id` (role=victim, endpoint=server)
+- `name ← extrahop.detection.participants[].hostname`
+- `type ← extrahop.detection.participants[].object_type` (`ipaddr` → host)
+- `ip ← extrahop.detection.participants[].object_value`
+
+Note: fixture lists three victim participants (`www.kali.org`, `cdimage.kali.org`, `kali.download`); primary target shown is the first.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 67.43.156.0"] --> E["hacking_tools"]
+  E --> T["Target: www.kali.org"]
+```
+
+### Note: investigation stream (no per-event graph)
+
+The **investigation** stream (`extrahop.investigation`) exports polled case records — status, assessment, assignee, and linked detection IDs — not discrete audit actions. **`status`** (e.g. `closed` in `sample_event.json`) is a workflow snapshot, not a verb performed by **`created_by`** (`integration@example.com`); **`last_interaction_by`** (`user1` in the same fixture) is a closer proxy for who last touched the case but still does not name a specific operation. No coherent Actor → action → Target chain applies. Join **`extrahop.investigation.detections[]`** to the **detection** stream for wire participant detail.
+
+## ES|QL Entity Extraction
+
+ExtraHop is an agent-backed integration (CEL input, policy template `extrahop`) with two data streams — `extrahop.detection` and `extrahop.investigation` — routed by `data_stream.dataset`. The detection stream is the only one that carries wire-derived threat telemetry; the investigation stream contains polled case-management snapshots with no participant or network endpoint fields and is excluded from extraction. The single actionable extraction at query time is `extrahop.detection.type` → `event.action` on the detection stream. All actor and target identity fields (`host.*`, `host.target.*`, `user.target.name`) rely on `extrahop.detection.participants`, which is an **array of objects** flattened by ES|QL into independent multi-value fields (`participants.role`, `participants.object_id`, `participants.object_value`, `participants.hostname`, `participants.username`). After flattening the positional relationship between sibling sub-fields is lost and order is not guaranteed, so `MV_FILTER(participants.object_id, participants.role == "offender")` is invalid cross-field syntax — no role-discriminated actor or target value can be extracted at query time. All participant-derived actor and target columns are documented as ingest-only in Gaps.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `extrahop.detection` | NDR threat indicator | host (offender participant) — ingest-only | host (victim participant) — ingest-only | partial (action only) |
+| `extrahop.investigation` | case workflow snapshot | — | — | none |
+
+### Field mapping plan
+
+Actor and target identity fields all derive from `extrahop.detection.participants`, which is an array of objects. ES|QL flattens this into independent multi-value fields (`participants.role`, `participants.object_id`, `participants.object_value`, `participants.hostname`, `participants.username`) with no guaranteed positional correspondence between sibling sub-fields. `MV_FILTER(participants.object_id, participants.role == "offender")` is an invalid cross-field condition in ES|QL; all participant-derived columns are therefore ingest-only. The only valid query-time extraction is `event.action` from `extrahop.detection.type`. `user.name` on the detection stream is the SOC assignee (`assignee` → ingest pipeline `set_user_name_from_detection_assignee`), not a wire threat actor; it is excluded from `actor_exists`.
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.id` | `extrahop.detection.participants.object_id` (role=offender) | — | — | **ingest-only** — `participants` is array-of-objects; `participants.role` and `participants.object_id` are independent multi-value fields after ES|QL flattening; cross-field `MV_FILTER` is invalid; needs ingest-time array-of-objects handling |
+| `host.ip` | `extrahop.detection.participants.object_value` (role=offender) | — | — | **ingest-only** — same constraint; fixture `175.16.199.0` (ICMP tunnel offender) |
+| `host.name` | `extrahop.detection.participants.hostname` (role=offender) | — | — | **ingest-only** — same constraint; fixture `09i2TY0xVtw7DPECOJQte01i7IK8B9FV.rx.tours` |
+| `user.name` | `extrahop.detection.assignee` | — | — | **ingest-only (SOC assignee)** — pipeline sets `user.name` from `assignee`; this is the triage analyst, not a wire threat actor; excluded from `actor_exists` |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.id` | `extrahop.detection.participants.object_id` (role=victim) | — | — | **ingest-only** — array-of-objects; cross-field `MV_FILTER` invalid; fixture `25769803807` (ICMP tunnel victim) |
+| `host.target.ip` | `extrahop.detection.participants.object_value` (role=victim) | — | — | **ingest-only** — same constraint; fixture `81.2.69.142` |
+| `host.target.name` | `extrahop.detection.participants.hostname` (role=victim) | — | — | **ingest-only** — same constraint; fixture `www.kali.org` (hacking-tools; three victims) |
+| `user.target.name` | `extrahop.detection.participants.username` (role=victim) | — | — | **ingest-only** — same constraint; expiring-cert `administrator@ATTACK.LOCAL` is on **offender** only |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` omits `user.*` — `user.name` on `extrahop.detection` is SOC assignee, not wire threat actor. `device.id` is observer appliance — also omitted. Because all participant-derived `host.*` and `*.target.*` fields are ingest-only and not currently populated at index time, `actor_exists` and `target_exists` will evaluate to `false` for all extrahop events at query time; they are included as standard harness flags.
+
+```esql
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+No valid actor field can be extracted at query time. All actor identity columns (`host.id`, `host.ip`, `host.name`) depend on `extrahop.detection.participants` role discrimination, which requires invalid cross-field `MV_FILTER` syntax in ES|QL. Actor EVAL block is omitted. See Gaps.
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "extrahop.detection" AND extrahop.detection.type IS NOT NULL, extrahop.detection.type,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+No valid target field can be extracted at query time. All target identity columns (`host.target.id`, `host.target.ip`, `host.target.name`, `user.target.name`) depend on `extrahop.detection.participants` role discrimination, which requires invalid cross-field `MV_FILTER` syntax in ES|QL. Target EVAL block is omitted. See Gaps.
+
+### Gaps and limitations
+
+- **`host.id` / `host.ip` / `host.name` (actor)** — `extrahop.detection.participants.{object_id,object_value,hostname}` are flattened multi-value fields with no guaranteed correspondence to `participants.role`; cannot isolate "offender" values at query time — **needs ingest-time array-of-objects handling**.
+- **`host.target.id` / `host.target.ip` / `host.target.name` (target)** — same constraint; cannot isolate "victim" values at query time — **needs ingest-time array-of-objects handling**.
+- **`user.target.name` (target)** — `extrahop.detection.participants.username` with `role == "victim"` cannot be isolated at query time; additionally, `administrator@ATTACK.LOCAL` in the expiring-cert fixture is on the **offender** participant only — **needs ingest-time array-of-objects handling**.
+- **`user.name` is SOC assignee, not threat actor** — pipeline copies `assignee` → `user.name` at ingest; excluded from `actor_exists` and actor EVAL; wire threat actor identity remains in vendor `participants.*` only.
+- **`event.action` not mapped at ingest** — `extrahop.detection.type` (e.g. `icmp_tunnel`, `hacking_tools`, `expiring_cert_individual`) is the richest verb-like field and is the only valid query-time extraction; fill via EVAL above.
+- **Multiple victims per detection** — hacking-tools fixture has three victim participants; even with valid ingest-time extraction, all victim IPs / hostnames should be promoted as a multi-value set rather than using `MV_FIRST`.
+- **No `source.ip` / `destination.ip`** — participant IPs land in `related.ip` aggregate only; `source.port` / `destination.port` are connection-tuple context without paired addresses.
+- **`device.id` is observer appliance** — RevealX sensor ID (`appliance_id` → `device.id`); platform context, not wire traffic actor; excluded from `actor_exists`.
+- **`extrahop.investigation` stream excluded** — polled case-management snapshots with no participant or network endpoint fields; no per-event Actor → action → Target chain; join `extrahop.investigation.detections[]` to the detection stream for wire entity detail.
diff --git a/dev/domain/p1/forgerock.md b/dev/domain/p1/forgerock.md
new file mode 100644
index 00000000000..7630863baee
--- /dev/null
+++ b/dev/domain/p1/forgerock.md
@@ -0,0 +1,535 @@
+# forgerock
+
+## Product Domain (ForgeRock IAM)
+
+ForgeRock Identity Platform is an identity and access management (IAM) and identity governance and administration (IGA) platform. Organizations use it—typically as ForgeRock Identity Cloud—to centralize authentication, authorization, user lifecycle, and federation across applications and APIs. The platform is built around two core services: Access Management (AM), which handles sign-on, sessions, OAuth/OIDC, and policy enforcement in realms; and Identity Management (IDM), which manages identity objects, provisioning, synchronization with external repositories, and administrative configuration.
+
+Security-relevant activity is recorded as audit and debug logs across AM and IDM topics—access attempts, authentication outcomes, configuration changes, identity object lifecycle events, and sync operations. These logs capture who acted, what changed, when it occurred, and the outcome, supporting compliance, SSO troubleshooting, and detection of unauthorized access or misconfiguration.
+
+The Elastic ForgeRock integration polls the Identity Cloud REST API with API key credentials via Elastic Agent (httpjson input). Events are normalized into ECS-aligned fields with `forgerock.*` vendor fields preserved, enabling search, dashboards, and correlation with broader SIEM data.
+
+## Data Collected (brief)
+
+- **Access Management audit logs**: `forgerock.am_access` (API access attempts), `forgerock.am_authentication` (login and auth module events), `forgerock.am_activity` (session, user profile, and device profile changes), and `forgerock.am_config` (AM configuration changes).
+- **Identity Management audit logs**: `forgerock.idm_access` (REST endpoint and scheduled-task access), `forgerock.idm_authentication` (authentication to `/openidm` endpoints), `forgerock.idm_activity` (managed/system object changes such as users and passwords), `forgerock.idm_config` (IDM configuration changes), and `forgerock.idm_sync` (live and implicit sync between mapped repositories).
+- **Debug logs**: `forgerock.am_core` and `forgerock.idm_core` for Access Management and Identity Management platform debug output.
+- **Common context**: Event name, topic, realm, user/principal, object IDs, operations, tracking/transaction IDs, HTTP request details (method, path, headers, client IP), response status and elapsed time, and ECS `event.action`, `event.category`, and `event.outcome` where applicable.
+
+## Expected Audit Log Entities
+
+Nine streams are true IAM audit logs (four AM: access, authentication, activity, config; five IDM: access, authentication, activity, config, sync). Two streams (`am_core`, `idm_core`) are platform debug output—audit-adjacent for correlation only. Events arrive as JSON from the Identity Cloud REST API and normalize to ECS with rich `forgerock.*` vendor fields retained. No stream populates ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`; no `destination.user.*` / `destination.host.*` in pipelines (forgerock absent from `destination_identity_hits.csv`). The target-fields audit classifies forgerock as **`moderate_candidate`** with `fixture_strong=true` and no tier-A ECS target mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is populated on four AM audit streams only** (`am_access`, `am_authentication`, `am_activity`, `am_config`) via `forgerock.eventName` → `event.action`. All five IDM audit streams and both debug streams leave `event.action` empty despite vendor fields naming the operation (`forgerock.eventName`, `forgerock.operation`, `forgerock.action`, `forgerock.request.operation`). On `am_activity`, `forgerock.operation` additionally maps to `event.reason` (CRUD qualifier, not the primary action label).
+
+Evidence: all 11 data streams under `packages/forgerock/data_stream/` — 73 pipeline test events across `*/_dev/test/pipeline/*-expected.json`, plus `sample_event.json`, `*/elasticsearch/ingest_pipeline/default.yml`, and `*/fields/forgerock-fields.yml`.
+
+### Event action (semantic)
+
+ForgeRock audit payloads carry a native **`eventName`** on every stream. AM pipelines copy it to `event.action`; IDM pipelines retain it vendor-only. AM activity/config events also carry an **`operation`** field (CREATE, UPDATE, PATCH, DELETE) that refines the change type. IDM sync events carry **`action`** (ASYNC, UPDATE) for reconciliation mode.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `AM-ACCESS-ATTEMPT` / `AM-ACCESS-OUTCOME` | data_access | high | `test-am-access.log-expected.json` (14 events); `sample_event.json` | **`am_access`** — OAuth/API access attempt/outcome pair; pipeline sets `event.type: [access]` |
+| `AM-LOGIN-COMPLETED` / `AM-LOGIN-MODULE-COMPLETED` | authentication | high | `test-am-authentication.log-expected.json` (7 events) | **`am_authentication`** — login completion vs auth-module step; pipeline sets `event.category: [authentication]` |
+| `AM-SESSION-CREATED` / `AM-SESSION-IDLE_TIMED_OUT` / `AM-SESSION-DESTROYED` | session | high | `test-am-activity.log-expected.json` | **`am_activity`** — session lifecycle; `event.reason` carries CRUD (`CREATE`/`DELETE`) from `forgerock.operation` |
+| `AM-IDENTITY-CHANGE` | administration | high | `test-am-activity.log-expected.json` | **`am_activity`** — user/profile/device changes; `event.reason`: `UPDATE` |
+| `AM-CONFIG-CHANGE` | configuration_change | high | `test-am-config.log-expected.json` (4 events); `sample_event.json` | **`am_config`** — AM service config DN changes; pipeline sets `event.category: [configuration]`; vendor `operation` (CREATE/UPDATE) retained but not mapped |
+| `access` | data_access | high | `test-idm-access.log-expected.json` (4 events); `sample_event.json` | **`idm_access`** — REST endpoint access; vendor-only; alternate: `forgerock.request.operation: READ` |
+| `authentication` | authentication | high | `test-idm-authentication.log-expected.json` (1 event); `sample_event.json` | **`idm_authentication`** — IDM login; vendor-only; alternate: `forgerock.method: MANAGED_USER` |
+| `activity` / `relationship_created` | administration | high | `test-idm-activity.log-expected.json` (6 events) | **`idm_activity`** — managed-object CRUD and relationship creation; vendor-only; alternate: `forgerock.operation` (PATCH, CREATE) |
+| `CONFIG` | configuration_change | high | `test-idm-config.log-expected.json` (3 events); `sample_event.json` | **`idm_config`** — IDM sync mapping config; vendor-only; alternate: `forgerock.operation: UPDATE` (removed by pipeline) |
+| `sync` + `ASYNC` / `UPDATE` | provisioning | high | `test-idm-sync.log-expected.json` (5 events); `sample_event.json` | **`idm_sync`** — repository reconciliation; `forgerock.action` is the specific sync mode; `forgerock.eventName: sync` is generic topic label |
+| *(debug message text)* | general | medium | `test-am-core.log-expected.json`, `test-idm-core.log-expected.json` | **`am_core`**, **`idm_core`** — no per-event action; `event.reason` ← debug `message`/`payload` only |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `forgerock.eventName` → `event.action` | yes (4 AM streams) | yes | `AM-ACCESS-ATTEMPT`, `AM-LOGIN-COMPLETED`, `AM-SESSION-CREATED`, `AM-CONFIG-CHANGE`, … | no | `am_access/default.yml` L44–45; `am_authentication` L44–45; `am_activity` L41–42; `am_config` L44–45 |
+| `forgerock.eventName` (vendor-only) | no (5 IDM audit streams) | n/a | `access`, `authentication`, `activity`, `relationship_created`, `CONFIG`, `sync` | yes | Retained under `forgerock.*` in all IDM expected fixtures; no pipeline `set` to `event.action` |
+| `forgerock.operation` → `event.reason` | yes (`am_activity` only) | partial | `CREATE`, `UPDATE`, `DELETE` | partial | `am_activity/default.yml` L57–58 — CRUD qualifier, not the session/identity event name; correct as `event.reason`, not `event.action` |
+| `forgerock.operation` (vendor-only) | no | n/a | `CREATE`, `UPDATE`, `PATCH` | yes | **`am_config`**, **`idm_activity`**, **`idm_config`** fixtures; `idm_config` pipeline removes field without ECS mapping |
+| `forgerock.action` (vendor-only) | no | n/a | `ASYNC`, `UPDATE` | yes | **`idm_sync`** — primary sync-mode candidate; more specific than `eventName: sync` |
+| `forgerock.request.operation` (vendor-only) | no | n/a | `READ` | yes | **`idm_access`** fixtures — CREST operation alongside `http.request.method: GET` |
+| `forgerock.method` (vendor-only) | no | n/a | `MANAGED_USER` | partial | **`idm_authentication`** — auth method qualifier; secondary to `eventName: authentication` |
+| `forgerock.message` / `forgerock.payload` → `event.reason` | no (`event.action`) | n/a | — | no | **`am_core`**, **`idm_core`** debug pipelines — free-text reason, not structured action |
+| `event.type` / `event.category` | n/a (downstream) | yes | `[access]`, `[authentication]`, `[configuration]` | no | Set statically on AM access/auth/config; category is not a substitute for `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `am_access` | yes (14/14) | yes | `forgerock.eventName` | high | `set` L44–45; values `AM-ACCESS-ATTEMPT`, `AM-ACCESS-OUTCOME` |
+| `am_authentication` | yes (7/7) | yes | `forgerock.eventName` | high | `set` L44–45; values `AM-LOGIN-COMPLETED`, `AM-LOGIN-MODULE-COMPLETED` |
+| `am_activity` | yes (16/16) | yes | `forgerock.eventName` | high | `set` L41–42; values `AM-SESSION-CREATED`, `AM-IDENTITY-CHANGE`, …; alternate `forgerock.operation` → `event.reason` |
+| `am_config` | yes (4/4) | yes | `forgerock.eventName` | high | `set` L44–45; value `AM-CONFIG-CHANGE`; alternate `forgerock.operation` (CREATE/UPDATE) vendor-only |
+| `idm_access` | no | no | `forgerock.eventName` (`access`) | high | Vendor retained; alternate `forgerock.request.operation` (`READ`) |
+| `idm_authentication` | no | no | `forgerock.eventName` (`authentication`) | high | Vendor retained; alternate `forgerock.method` (`MANAGED_USER`) |
+| `idm_activity` | no | no | `forgerock.eventName` (`activity`, `relationship_created`) | high | Vendor retained; alternate `forgerock.operation` (PATCH, CREATE) |
+| `idm_config` | no | no | `forgerock.eventName` (`CONFIG`) | high | Vendor retained; alternate `forgerock.operation` (`UPDATE`, removed by pipeline) |
+| `idm_sync` | no | no | `forgerock.action` (`ASYNC`, `UPDATE`) | high | Vendor retained; `forgerock.eventName: sync` is generic fallback |
+| `am_core` | no | no | — (no per-event action) | high | Debug stream; `event.reason` ← `forgerock.message` only |
+| `idm_core` | no | no | — (no per-event action) | high | Debug stream; `event.reason` ← `forgerock.payload` / `payload.message` only |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Authenticated IAM principal | user | — | high | `userId` → `user.id` (`*/default.yml` copy_from); AM DN and IDM UUID forms in fixtures | **`am_activity`** 13/16, **`am_config`** 4/4, **`idm_*`** activity/config/sync/auth 100%; **`am_access`** 4/14 (outcome only); **`am_authentication`** 4/7 (login completed) |
+| Delegated / effective principal | user | — | high | `runAs` → `user.effective.id` | **`am_activity`** 11/16, **`am_config`** 4/4, **`idm_activity`** 6/6, **`idm_config`** 3/3; empty on session timeout events |
+| Human-readable auth account | user | service_account | medium | `forgerock.principal[]` vendor-only (`autoid-resource-server`, `openidm-admin`) | **`am_authentication`** 7/7, **`idm_authentication`** 1/1; not promoted to `user.name` |
+| HTTP/API client endpoint | host | — | high | `forgerock.client.ip/port` → `client.ip`/`client.port`; `forgerock.client.host` → `client.domain` (AM access only) | **`am_access`** 14/14, **`idm_access`** 4/4 |
+| Anonymous REST caller | user | — | medium | `user.id: "anonymous"` for unauthenticated ping reads | **`idm_access`** 4/4 |
+| IDM authorization roles | general | idm_role | medium | `forgerock.roles[]` (e.g. `internal/role/openidm-reg`) | **`idm_access`** 4/4 only; caller auth context, not mapped to ECS |
+| AM/IDM server node | host | — | medium | `forgerock.server.*` → `server.ip`/`server.domain` | **`am_access`** 2/14, **`idm_access`** 4/4; platform node handling request, not remote actor |
+
+**No actor identity:** **`am_core`** (5 fixtures) and **`idm_core`** (8 fixtures) — debug logger/thread/message only. **`am_access`** attempt events (10/14) and **`am_authentication`** module-completed events (3/7) omit `userId` until paired outcome/completed events.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Authenticated principal | yes (stream-dependent) | yes | high | `forgerock.userId` copy; removed from vendor tree after ingest on most streams |
+| `user.effective.id` | Delegated/run-as identity | yes | yes | high | `forgerock.runAs` copy on activity/config streams |
+| `user.name` | Human principal name | no | n/a | medium | `forgerock.principal[]` retained vendor-only on auth streams |
+| `client.ip` / `client.port` | Calling client endpoint | yes | yes | high | `forgerock.client.ip/port` convert/copy on access streams |
+| `client.domain` | Client hostname | yes (AM only) | yes | high | `forgerock.client.host` → `client.domain` (`am_access/default.yml`) |
+| `server.ip` / `server.domain` | AM/IDM node | yes | yes (context) | medium | `forgerock.server.*` on access streams — platform context, not actor |
+| `forgerock.principal[]` | Auth account names | no (vendor-only) | n/a | high | `am_authentication`, `idm_authentication` fixtures |
+| `forgerock.entries[]` | Auth module/tree metadata | no (vendor-only) | n/a | medium | Flattened module chain; includes `info.ipAddress` not mapped to ECS |
+| `forgerock.roles[]` | IDM caller roles | no (vendor-only) | n/a | medium | `idm_access` fixtures |
+| `forgerock.realm` | Auth/access realm scope | no (vendor-only) | n/a | high | AM streams; scopes context, not actor |
+| `forgerock.trackingIds[]` | Session/token correlation | no (vendor-only) | n/a | high | Links auth → access → activity events |
+| `observer.vendor` | Log source product | yes | yes (context) | high | Static `ForgeRock Identity Platform` on all pipelines |
+| `transaction.id` | Request correlation | yes | yes (context) | high | `forgerock.transactionId` copy |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Invoked IAM subsystem | AM OAuth, Authentication, Session, Users; IDM REST | service | — | high | `forgerock.component` → `service.name` on AM access/auth/activity | **`am_access`**, **`am_authentication`**, **`am_activity`**; IDM streams lack `component` mapping |
+| 2 — Resource / object | Identity, session, or config object acted upon | Managed user, AM session, LDAP config DN, sync mapping | user / general | session, am_config_dn, managed_object | high | `forgerock.objectId`, `forgerock.sourceObjectId`, `forgerock.targetObjectId` | **`am_activity`**, **`am_config`**, **`idm_activity`**, **`idm_config`**, **`idm_sync`** |
+| 3 — Content / artifact | API call, OAuth grant, sync transaction | REST endpoint URL, token scope, sync situation | general | api_request, oauth_token, sync_event | high | `http.request.Path`, `forgerock.request.detail.*`, `forgerock.response.detail.*`, `forgerock.situation` | **`am_access`**, **`idm_access`**, **`idm_sync`** |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `service.name` | 1 | service | yes (AM) | yes | `service.target.name` | yes | `forgerock.component` → `service.name` (`OAuth`, `Authentication`, `Session`, `Users`) |
+| `http.request.Path` | 3 | general | yes | yes (api_request) | context-only | no | Full URL path on access streams; e.g. `/am/oauth2/access_token`, `/openidm/info/ping` |
+| `http.request.method` / `http.response.status_code` | 3 | general | yes | yes | context-only | no | REST operation metadata on access streams |
+| `event.reason` | 3 | general | yes (`am_activity`, core) | partial | context-only | no | `forgerock.operation` on **`am_activity`** (CRUD); debug message on core streams — not primary action label |
+| `forgerock.objectId` | 2 | user / general | no (vendor-only) | n/a | `user.target.id` / `entity.target.id` | yes | Session IDs, identity DNs, managed paths, config DNs — type-dependent |
+| `forgerock.before.*` / `forgerock.after.*` | 2 | general | no (vendor-only) | n/a | context-only | no | Object state snapshots on activity streams |
+| `forgerock.changedFields` | 2 | general | no (vendor-only) | n/a | context-only | no | Modified field list on activity/config streams |
+| `forgerock.sourceObjectId` | 2 | user | no (vendor-only) | n/a | `user.target.id` | yes | Source managed object on all **`idm_sync`** fixtures (`managed/alpha_user/…`) |
+| `forgerock.targetObjectId` | 2 | user | no (vendor-only) | n/a | `user.target.id` | yes | Target repo object when link confirmed (1/5 sync fixtures) |
+| `forgerock.mapping` / `forgerock.situation` | 3 | general | no (vendor-only) | n/a | context-only | no | Sync mapping name and reconciliation outcome |
+| `forgerock.request.detail.*` | 3 | general | no (vendor-only) | n/a | context-only | no | OAuth grant_type, scope on **`am_access`** |
+| `forgerock.response.detail.*` | 3 | general | no (vendor-only) | n/a | context-only | no | Token scope, `client_id`, `username` on OAuth outcomes |
+| `forgerock.trackingIds[]` | 2 | general | no (vendor-only) | n/a | `entity.target.id` | yes | Session/OAuth token alias across AM event chain |
+| `forgerock.realm` | 1 | service | no (vendor-only) | n/a | context-only | no | AM realm scope (`/`, `/alpha`) |
+| `server.ip` / `server.domain` | 1 | host | yes | yes (context) | context-only | no | AM/IDM node — platform endpoint, not acted-upon target |
+
+### Gaps and mapping notes
+
+- **No ECS `*.target.*` today** — richest target identity is vendor-only: `forgerock.objectId`, `forgerock.sourceObjectId`, `forgerock.targetObjectId`. Enhancement: promote typed targets to `user.target.*` (managed users, sync objects), `entity.target.id` (sessions, config DNs), or `service.target.name` (AM component).
+- **`service.name` is Layer 1 target, not actor** — AM subsystem (`OAuth`, `Session`, etc.) identifies what was invoked/changed; do not treat as caller identity.
+- **`forgerock.principal[]` not mapped to `user.name`** — human-readable auth account names remain vendor-only while `user.id` carries DN/UUID form.
+- **`user.id` and target object can share identity paths** — on authentication streams the logging-in principal is actor; on activity/sync streams the same field shape (`managed/…`, DN) often describes the **target** object when present in `forgerock.objectId` instead. Disambiguation requires event type, not field name alone.
+- **Sync source/target naming ≠ ECS source/destination** — `forgerock.sourceObjectId` / `forgerock.targetObjectId` are IDM repository sync endpoints, not network peers. No ECS `source.*` or `destination.*` mapping.
+- **No `destination.user.*` / `destination.host.*`** — forgerock not in `destination_identity_hits.csv`; no de-facto target pattern under `destination.*`.
+- **Partial actor on multi-stage events** — access attempts and auth module steps lack `userId`; correlate via `transaction.id` / `forgerock.trackingIds[]` to outcome events.
+- **`event.action` gaps on five IDM audit streams + two debug streams** — `forgerock.eventName` is present in every IDM fixture but not copied to `event.action`; recommended primary candidates per stream in Step 2b table. On **`idm_sync`**, prefer `forgerock.action` (`ASYNC`, `UPDATE`) over generic `eventName: sync`. On **`idm_activity`**, consider composite `{eventName}.{operation}` or map `relationship_created` distinctly from generic `activity`.
+- **`forgerock.operation` inconsistently mapped** — copied to `event.reason` on **`am_activity`** only; retained vendor-only on **`am_config`** and **`idm_activity`**; removed without ECS mapping on **`idm_config`**. Enhancement: map to `event.reason` on config/activity streams for CRUD context.
+- **Target-fields audit alignment** — `moderate_candidate`: strong vendor target fields and fixtures (`fixture_strong=true`) but no tier-A ECS target mapping and heuristic `pipeline_actor=false` (simple `userId` copy not flagged by scan).
+
+### Per-stream notes
+
+#### `am_access`
+
+True access audit. **Action:** `event.action` ← `forgerock.eventName` (`AM-ACCESS-ATTEMPT`, `AM-ACCESS-OUTCOME`); `event.type: [access]`. Actor: `client.*` always; `user.id` on outcomes (4/14). Target Layer 1: `service.name` ← component (`OAuth`, `Authentication`). Layer 3: `http.request.Path` (primary API target). OAuth grant/scope/token detail under `forgerock.request.detail.*` / `forgerock.response.detail.*`.
+
+#### `am_authentication`
+
+True authentication audit. **Action:** `event.action` ← `forgerock.eventName` (`AM-LOGIN-COMPLETED`, `AM-LOGIN-MODULE-COMPLETED`); `event.category: [authentication]`. Actor: `user.id` on login completed (4/7); `forgerock.principal[]` + `forgerock.entries[]` on all 7. Target Layer 1: `service.name`. Layer 2/3: session/token via `forgerock.trackingIds[]` (links to activity/access). No explicit `objectId`.
+
+#### `am_activity`
+
+True activity audit. **Action:** `event.action` ← `forgerock.eventName` (session/identity events); `event.reason` ← `forgerock.operation` (CREATE/UPDATE/DELETE). Actor: `user.id` + `user.effective.id` (runAs). Target Layer 2: `forgerock.objectId` — session IDs (`AM-SESSION-*`) or identity DNs (`AM-IDENTITY-CHANGE`). Layer 1: `service.name` ← component (`Session`, `Users`). Optional before/after snapshots.
+
+#### `am_config`
+
+True configuration audit. **Action:** `event.action` ← `forgerock.eventName` (`AM-CONFIG-CHANGE`); `event.category: [configuration]`; vendor `forgerock.operation` (CREATE/UPDATE) not mapped to ECS. Actor: `user.id` + `user.effective.id`. Target Layer 2: AM config DN in `forgerock.objectId` (4/4).
+
+#### `idm_access`
+
+True REST access audit. **Action:** `event.action` absent — candidate `forgerock.eventName: access`; alternate `forgerock.request.operation: READ`. Actor: `user.id` (including `anonymous`), `client.*`, `forgerock.roles[]`. Target Layer 3: `http.request.Path` (ping in fixtures).
+
+#### `idm_authentication`
+
+True authentication audit. **Action:** `event.action` absent — candidate `forgerock.eventName: authentication`; alternate `forgerock.method: MANAGED_USER`. `event.category: [authentication]` set; `event.outcome` from `result`. Actor: `user.id`, `forgerock.principal[]`, `forgerock.entries[]`. No explicit object target — self-referential login.
+
+#### `idm_activity`
+
+True activity audit. **Action:** `event.action` absent — candidate `forgerock.eventName` (`activity`, `relationship_created`); alternate `forgerock.operation` (PATCH, CREATE). Actor: `user.id` + `user.effective.id`. Target Layer 2: `forgerock.objectId` — managed users/orgs/relationships (`managed/alpha_user/…`, `internal/role/…`).
+
+#### `idm_config`
+
+True configuration audit. **Action:** `event.action` absent — candidate `forgerock.eventName: CONFIG`; alternate `forgerock.operation: UPDATE` (removed by pipeline). `event.category: [configuration]` set. Actor: `user.id` + `user.effective.id`. Target Layer 2: config node (`forgerock.objectId: sync`) with `forgerock.changedFields`.
+
+#### `idm_sync`
+
+True sync audit. **Action:** `event.action` absent — primary candidate `forgerock.action` (`ASYNC`, `UPDATE`); fallback `forgerock.eventName: sync`. Actor: `user.id` (sync initiator). Target Layer 2: `forgerock.sourceObjectId` (5/5), `forgerock.targetObjectId` (1/5). Layer 3: `forgerock.mapping`, `forgerock.situation`.
+
+#### `am_core`
+
+Debug-only — not IAM audit. **Action:** no per-event action; `event.reason` ← `forgerock.message`. No actor/target semantics. `log.logger`, `process.name`, optional `error.stack_trace`; `transaction.id` on some events for correlation.
+
+#### `idm_core`
+
+Debug-only — not IAM audit. **Action:** no per-event action; `event.reason` ← `forgerock.payload` (string or `payload.message`). No actor/target semantics. Structured debug fields under `forgerock.idm_core.*` after pipeline rename.
+
+## Example Event Graph
+
+These examples come from nine IAM audit streams (four AM, five IDM) in `packages/forgerock/`; `am_core` and `idm_core` debug streams are omitted because they lack per-event actor/action/target semantics.
+
+### Example 1: OAuth token access attempt
+
+**Stream:** `forgerock.am_access` · **Fixture:** `packages/forgerock/data_stream/am_access/_dev/test/pipeline/test-am-access.log-expected.json`
+
+```
+HTTP client (1.128.0.0) → AM-ACCESS-ATTEMPT → OAuth service (/am/oauth2/access_token)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| ip | 1.128.0.0 |
+| type | host |
+
+**Field sources:**
+- `ip` ← `client.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | AM-ACCESS-ATTEMPT |
+| source_field | `event.action` |
+| source_value | AM-ACCESS-ATTEMPT |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | OAuth |
+| type | service |
+
+**Field sources:**
+- `name` ← `service.name` ← `forgerock.component`
+- API endpoint context ← `http.request.Path` (`https://openam-chico-poc.forgeblocks.com/am/oauth2/access_token`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: client 1.128.0.0"] --> E["AM-ACCESS-ATTEMPT"]
+  E --> T["Target: OAuth /am/oauth2/access_token"]
+```
+
+### Example 2: AM login completed
+
+**Stream:** `forgerock.am_authentication` · **Fixture:** `packages/forgerock/data_stream/am_authentication/sample_event.json`
+
+```
+Service account (autoid-resource-server) → AM-LOGIN-COMPLETED → Authentication service
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | id=autoid-resource-server,ou=agent,ou=am-config |
+| name | autoid-resource-server |
+| type | user |
+| sub_type | service_account |
+
+**Field sources:**
+- `id` ← `user.id`
+- `name` ← `forgerock.principal[]` (vendor-only; not mapped to `user.name` today)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | AM-LOGIN-COMPLETED |
+| source_field | `event.action` |
+| source_value | AM-LOGIN-COMPLETED |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Authentication |
+| type | service |
+
+**Field sources:**
+- `name` ← `service.name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: autoid-resource-server"] --> E["AM-LOGIN-COMPLETED"]
+  E --> T["Target: Authentication service"]
+```
+
+### Example 3: IDM repository sync (async)
+
+**Stream:** `forgerock.idm_sync` · **Fixture:** `packages/forgerock/data_stream/idm_sync/sample_event.json`
+
+```
+Sync initiator (d7cd65bf-…) → ASYNC → managed alpha_user object
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | d7cd65bf-743c-4753-a78f-a20daae7e3bf |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ASYNC |
+| source_field | `forgerock.action` |
+| source_value | ASYNC |
+
+Action derived from `forgerock.action` — **not mapped to ECS `event.action` today** (generic `forgerock.eventName: sync` is the vendor fallback).
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | managed/alpha_user/9d88b635-9b7a-48d3-9a57-1978b99a5f41 |
+| type | user |
+| sub_type | managed_object |
+
+**Field sources:**
+- `id` ← `forgerock.sourceObjectId` (vendor-only; not mapped to `user.target.id` today)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: d7cd65bf-743c-4753-a78f-a20daae7e3bf"] --> E["ASYNC"]
+  E --> T["Target: managed/alpha_user/9d88b635-…"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `forgerock`, eleven `data_stream/` directories with Tier A fixtures and ingest pipelines). Router: **`data_stream.dataset`** (`forgerock.<stream>` per stream manifest). Nine IAM audit streams get fill-gaps extraction; **`forgerock.am_core`** and **`forgerock.idm_core`** are excluded (debug). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`) — valid **3-arg**, **5-arg**, or **7-arg** `CASE` only — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` and never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a boolean condition). No ECS `*.target.*` at ingest today — fallbacks promote `service.name` → `service.target.name`, vendor `forgerock.objectId` / `sourceObjectId` / `targetObjectId` → `user.target.*` / `entity.target.*`, and `client.ip` → `host.ip` on client-only access attempts (Pass 3). AM login targets the invoked subsystem (`service.target.name` from `service.name`), not self-referential `user.target.*`.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `forgerock.am_access` | AM API access audit | host (client) / user (outcome) | service, general (API path) | partial |
+| `forgerock.am_authentication` | AM login audit | user | service | full |
+| `forgerock.am_activity` | AM session/identity audit | user | user, service, general (session) | full |
+| `forgerock.am_config` | AM config audit | user | general (config DN) | full |
+| `forgerock.idm_access` | IDM REST access audit | user / host (client) | general (API path) | partial |
+| `forgerock.idm_authentication` | IDM login audit | user | service | partial |
+| `forgerock.idm_activity` | IDM object CRUD audit | user | user, general | full |
+| `forgerock.idm_config` | IDM config audit | user | general | full |
+| `forgerock.idm_sync` | IDM repository sync | user | user | full |
+| `forgerock.am_core` | AM debug | — | — | none |
+| `forgerock.idm_core` | IDM debug | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` (ingest ← `forgerock.userId`) | `data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.am_authentication", "forgerock.am_access", "forgerock.idm_access", "forgerock.idm_authentication", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync")` | high | **ingest-only — no ES|QL**; no query-time vendor path after pipeline rename; omitted from actor `EVAL` (Pass 4 #10) |
+| `user.name` | `MV_FIRST(forgerock.principal)` | `data_stream.dataset IN ("forgerock.am_authentication", "forgerock.idm_authentication")` | medium | **vendor fallback**; column-level preserve (`user.name IS NOT NULL` first) because `user.id` alone sets `actor_exists` |
+| `user.effective.id` | `user.effective.id` (ingest ← `forgerock.runAs`) | `data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config")` | high | **ingest-only — no ES|QL**; no alternate source at query time; omitted from actor `EVAL` |
+| `host.ip` | `client.ip` | `data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access")` | high | **vendor fallback**; HTTP client as actor when `host.ip` empty (Pass 3 Example 1) |
+
+`actor_exists` uses standard user/host/service/entity predicates; **`client.ip` is not in `actor_exists`** so client-only access attempts still receive `host.ip` fallback.
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `service.name` | `data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL` | high | **vendor fallback** ← `forgerock.component`; login → Authentication/OAuth (Pass 3) |
+| `service.target.name` | `"Identity Management"` | `data_stream.dataset == "forgerock.idm_authentication"` | low | **semantic literal**; no `component` on IDM auth fixtures |
+| `user.target.id` | `forgerock.sourceObjectId` | `data_stream.dataset == "forgerock.idm_sync"` | high | **vendor fallback**; Pass 3 Example 3 |
+| `user.target.id` | `forgerock.targetObjectId` | `data_stream.dataset == "forgerock.idm_sync" AND forgerock.targetObjectId IS NOT NULL` | high | **vendor fallback**; confirmed link (1/5 fixtures) |
+| `user.target.id` | `forgerock.objectId` | `data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/")` | medium | **vendor fallback**; managed-object heuristic |
+| `entity.target.id` | `forgerock.objectId` | `data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config") AND forgerock.objectId IS NOT NULL AND NOT STARTS_WITH(forgerock.objectId, "managed/")` | high | **vendor fallback**; sessions, AM identity DNs, config nodes |
+| `entity.target.id` | `http.request.Path` | `data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND http.request.Path IS NOT NULL` | medium | **vendor fallback**; Layer 3 API endpoint |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity", "forgerock.am_config")` | high | **preserve existing**; ingest ← `forgerock.eventName` |
+| `event.action` | `forgerock.action` | `data_stream.dataset == "forgerock.idm_sync" AND forgerock.action IS NOT NULL` | high | **vendor fallback**; prefer over generic `eventName: sync` (Pass 2) |
+| `event.action` | `forgerock.eventName` | `data_stream.dataset IN ("forgerock.idm_access", "forgerock.idm_authentication", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync")` | high | **vendor fallback**; IDM audit streams |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+No `*.target.*` populated at ingest — `target_exists` is typically false until fallback `EVAL`s run in the same query.
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers. Actor/target/action **`EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, host.ip, …)` / `CASE(target_exists, service.target.name, …)` — so e.g. `user.id` on auth streams does not block `user.name` ← `MV_FIRST(forgerock.principal)` when `user.name` is empty (Pass 4 §10).
+
+### Optional classification helpers (when needed)
+
+Set in **fallback** only (column-level preserve on `entity.target.type` / `entity.target.sub_type`):
+
+```esql
+| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND user.id IS NULL AND client.ip IS NOT NULL, "host",
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access", "forgerock.am_authentication", "forgerock.idm_authentication", "forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync"), "user",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL, "service",
+    data_stream.dataset == "forgerock.idm_authentication", "service",
+    data_stream.dataset == "forgerock.idm_sync", "user",
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"), "user",
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config"), "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"), "managed_object",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset IN ("forgerock.am_authentication", "forgerock.idm_authentication"), MV_FIRST(forgerock.principal),
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND client.ip IS NOT NULL, client.ip,
+    null
+  )
+```
+
+`user.id` and `user.effective.id` are populated at ingest only — no `CASE` emitted when fallback would re-read the same column (Pass 4 #10).
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.action IS NOT NULL, forgerock.action,
+    data_stream.dataset IN ("forgerock.idm_access", "forgerock.idm_authentication", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync") AND forgerock.eventName IS NOT NULL, forgerock.eventName,
+    null
+  )
+```
+
+AM audit streams already populate `event.action` at ingest — `action_exists` preserves them.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL, service.name,
+    data_stream.dataset == "forgerock.idm_authentication", "Identity Management",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.sourceObjectId IS NOT NULL, forgerock.sourceObjectId,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"), forgerock.objectId,
+    data_stream.dataset == "forgerock.idm_sync" AND forgerock.targetObjectId IS NOT NULL, forgerock.targetObjectId,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config") AND forgerock.objectId IS NOT NULL AND NOT STARTS_WITH(forgerock.objectId, "managed/"), forgerock.objectId,
+    data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND http.request.Path IS NOT NULL, http.request.Path,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset IN ("forgerock.am_authentication", "forgerock.idm_authentication"), MV_FIRST(forgerock.principal), null),
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND client.ip IS NOT NULL, client.ip, null)
+| EVAL
+  event.action = CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "forgerock.idm_sync" AND forgerock.action IS NOT NULL, forgerock.action, data_stream.dataset IN ("forgerock.idm_access", "forgerock.idm_authentication", "forgerock.idm_activity", "forgerock.idm_config", "forgerock.idm_sync") AND forgerock.eventName IS NOT NULL, forgerock.eventName, null)
+| EVAL
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset IN ("forgerock.am_access", "forgerock.am_authentication", "forgerock.am_activity") AND service.name IS NOT NULL, service.name, data_stream.dataset == "forgerock.idm_authentication", "Identity Management", null),
+  user.target.id = CASE(user.target.id IS NOT NULL, user.target.id, data_stream.dataset == "forgerock.idm_sync" AND forgerock.sourceObjectId IS NOT NULL, forgerock.sourceObjectId, data_stream.dataset IN ("forgerock.am_activity", "forgerock.idm_activity") AND STARTS_WITH(forgerock.objectId, "managed/"), forgerock.objectId, data_stream.dataset == "forgerock.idm_sync" AND forgerock.targetObjectId IS NOT NULL, forgerock.targetObjectId, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset IN ("forgerock.am_activity", "forgerock.am_config", "forgerock.idm_activity", "forgerock.idm_config") AND forgerock.objectId IS NOT NULL AND NOT STARTS_WITH(forgerock.objectId, "managed/"), forgerock.objectId, data_stream.dataset IN ("forgerock.am_access", "forgerock.idm_access") AND http.request.Path IS NOT NULL, http.request.Path, null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, host.ip, service.target.name, user.target.id, entity.target.id
+```
+
+### Streams excluded
+
+- **`forgerock.am_core`** — AM platform debug logger output; `event.reason` ← free-text message; no actor/target audit semantics.
+- **`forgerock.idm_core`** — IDM debug output; structured debug fields only; no per-event actor/target graph.
+
+### Gaps and limitations
+
+- **`user.id` / `user.effective.id`:** Ingest-only actor columns; no ES|QL `CASE` (no alternate query-time source after `forgerock.userId` / `forgerock.runAs` rename).
+- **`forgerock.principal[]` → `user.name`:** Medium confidence MV_FIRST; not mapped at ingest (Pass 2 enhancement candidate); column-level preserve used because `user.id` alone satisfies `actor_exists`.
+- **`user.id` vs target object ambiguity:** Same DN/UUID shape on auth (actor) and activity (target) streams — dataset + `STARTS_WITH(forgerock.objectId, "managed/")` guard reduces false positives; not foolproof for AM identity DNs (`fr-idm-uuid=…`).
+- **Partial actor on multi-stage events:** `am_access` attempts and auth module steps omit `userId` — correlate via `transaction.id` / `forgerock.trackingIds[]`.
+- **`idm_authentication` no `service.name`:** Semantic literal `"Identity Management"` for login service target (Pass 3).
+- **`forgerock.sourceObjectId` / `targetObjectId`:** IDM sync repository endpoints — not network `source.*`/`destination.*` (Pass 2).
+- **`client.domain`:** Mapped on AM access only (`forgerock.client.host` → `client.domain`) — omitted from actor EVAL.
+- **`user.target.email` / `user.target.name`:** No indexed source; omitted.
+- **Pass 2 enhancement alignment** — ingest-time `*.target.*` and IDM `event.action` ← `forgerock.eventName` remain preferred; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 CASE syntax (§10)** — actor/target/action `EVAL` use column-level `IS NOT NULL` preserve (not `CASE(actor_exists, …)` / `CASE(target_exists, …)`); pipeline fragment aligned with combined blocks (no **4-arg** `CASE(flag, col, bare_field, null)`); `user.name` uses **5-arg** with dataset guard in fragment (auth streams only).
diff --git a/dev/domain/p1/fortinet_fortigate.md b/dev/domain/p1/fortinet_fortigate.md
new file mode 100644
index 00000000000..016e3449ee2
--- /dev/null
+++ b/dev/domain/p1/fortinet_fortigate.md
@@ -0,0 +1,540 @@
+# fortinet_fortigate
+
+## Product Domain
+
+FortiGate is Fortinet's next-generation firewall (NGFW) platform, running the FortiOS operating system on physical appliances, virtual machines, and cloud instances. Positioned at network perimeters and internal segmentation boundaries, FortiGate enforces stateful firewall policies that allow or deny traffic based on source, destination, application, user identity, and security profile. Beyond basic packet filtering, FortiGate provides Unified Threat Management (UTM) capabilities—intrusion prevention (IPS), antivirus, web filtering, application control, DNS filtering, and SSL/TLS inspection—applied inline as traffic traverses the device.
+
+FortiGate is a central component of Fortinet's Security Fabric, integrating with FortiAnalyzer, FortiManager, FortiClient, and other Fortinet products for centralized logging, policy orchestration, and endpoint telemetry. Deployments commonly span branch offices, data centers, and cloud environments, with high-availability (HA) clustering, virtual domains (VDOMs) for multi-tenant isolation, and IPsec/SSL VPN for remote access and site-to-site connectivity. Administrators configure policies, profiles, and routing through the GUI or CLI, and the device generates detailed syslog records for every security-relevant decision.
+
+From a security operations perspective, FortiGate logs are the primary audit trail for perimeter defense: which sessions were permitted or blocked, which UTM modules triggered on a flow, who authenticated via VPN or admin login, and what system or configuration events occurred. Security teams rely on these logs for SIEM correlation, threat hunting, compliance auditing, incident investigation, and monitoring VPN health, policy effectiveness, and UTM detection coverage across the estate.
+
+## Data Collected (brief)
+
+The integration collects FortiGate syslog via Elastic Agent over **TCP**, **UDP**, or **logfile** input into a single **log** data stream (`fortinet_fortigate.log`). Log types include:
+
+| Category | Description |
+|---|---|
+| **Traffic** | Firewall allow/deny decisions with session metadata (source/destination IPs and ports, interfaces, policy ID, bytes/packets, NAT) |
+| **UTM** | Security profile events—application control, web filter, IPS, antivirus, DNS filter, DLP, and related subtypes |
+| **Event** | System events, HA failover, configuration changes, and operational alerts |
+| **Authentication** | VPN, administrator, and user login/logout events |
+
+Events are parsed from FortiOS key-value syslog format (tested on FortiOS 6.x and 7.x) into ECS fields (`source`, `destination`, `network`, `observer`, `rule`, `url`, `dns`, `tls`, etc.) with vendor-specific details retained under `fortinet.firewall.*`. A bundled Kibana dashboard ("Fortinet FortiGate Overview") visualizes traffic, UTM, and authentication activity.
+
+## Expected Audit Log Entities
+
+FortiGate syslog is session- and flow-centric across a single **`log`** data stream. **`fortinet.firewall.type=traffic`** and **`utm`/`dns`** are audit-adjacent network telemetry (allow/deny decisions, UTM detections); **`type=event`** covers VPN, FSSO/user auth, FortiClient endpoint, HA, config, and system events; admin **`login`** events are routed to a dedicated login sub-pipeline when the message contains "login"/"logged in". The integration has rich actor identity on flows and auth events but **no ECS `*.target.*` fields** are populated today (`dev/target-fields-audit/out/target_fields_audit.csv` — no rows for this package). The target-fields audit classified this package as **`strong_candidate`** with **`pipeline_dest_identity=true`**, **`pipeline_actor=true`**, and **`fixture_strong=true`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`). **`destination.user.name`** is the sole **`destination.user.*`** pipeline mapping, listed in **`destination_identity_hits.csv`**. **`event.action`** is populated for **traffic**, **UTM/DNS**, and **login** sub-types but **absent for most `type=event` logs** where `fortinet.firewall.action` retains the vendor operation name unmapped. Evidence: `packages/fortinet_fortigate/data_stream/log/sample_event.json`, `data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json`, `test-fortinet-7-4.log-expected.json`, and ingest pipelines `default.yml`, `traffic.yml`, `utm.yml`, `event.yml`, `login.yml`.
+
+### Event action (semantic)
+
+FortiGate logs carry two related action concepts: **`action`** (session outcome or operational verb) and **`eventtype`** (UTM module event name). The pipeline maps these to ECS `event.action` differently per sub-type.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `accept`, `deny`, `close`, `start`, `server-rst`, `client-rst`, `ip-conn`, `timeout` | data_access / network | high | `event.action` ← `fortinet.firewall.action` in traffic fixtures (`test-fortinet.log-expected.json`: `deny`, `accept`, `close`; `test-fortinet-7-4.log-expected.json`: `timeout`) | **`traffic`** — session lifecycle / firewall policy outcome; not an admin operation |
+| `app-ctrl-all`, `dns-query`, `dns-response`, `signature`, `ssl-anomalies`, `ssl-negotiation`, `ssl-exempt`, `ftgd_blk`, `ftgd_allow`, `infected`, `dlp`, `ssh-channel`, `cifs-filefilter`, `voip`, `anomaly` | detection / data_access | high | `event.action` ← `fortinet.firewall.eventtype` via `default.yml:375-380` rename when unset; `sample_event.json` (`app-ctrl-all`), fixtures (`dns-query`, `signature`, `ssl-anomalies`, `ftgd_blk`, `infected`, `dlp`) | **`utm`/`dns`** — UTM module event name; parallel `fortinet.firewall.action` holds pass/block/detect outcome |
+| `login` | authentication | high | Static `event.action: login` in `login.yml:8-12`; admin SSH/HTTPS login fixtures (`test-fortinet.log-expected.json`, `test-fortinet-7-4.log-expected.json`) | **`login`** sub-pipeline (message-triggered); overrides vendor `action=login` on same field |
+| `FSSO-logon`, `FSSO-logoff`, `auth-logon`, `auth-logout` | authentication | high (vendor) | `fortinet.firewall.action` only — **no** `event.action` in fixtures (`test-fortinet.log-expected.json` FSSO-logon/logoff events) | **`event`** (`subtype=user`) — user auth lifecycle; enhancement gap |
+| `negotiate`, `tunnel-up`, `tunnel-stats`, `authentication`, `add`, `close`, `connect`, `disconnect` | authentication / network | high (vendor) | `fortinet.firewall.action` in VPN/endpoint fixtures; `event.action` absent (`test-fortinet.log-expected.json`, `test-fortinet-7-4.log-expected.json`) | **`event`** (`subtype=vpn`, `endpoint`) — VPN tunnel lifecycle |
+| `perf-stats`, `object-add`, `object-remove`, `Health Check`, `SLA`, `Cellular Connected` | administration / configuration_change | medium (vendor) | Vendor `action` in `test-fortinet-6-2.log-expected.json`, `test-fortinet-7-4.log-expected.json`; no ECS `event.action` | **`event`** (`subtype=system`, `update`, perf/HA/cellular) — operational telemetry |
+
+Traffic and UTM streams have consistent `event.action` coverage. **`type=event`** logs are the primary gap: FortiOS uses the `action` KV field for operational verbs but the pipeline only backfills `event.action` from `fortinet.firewall.eventtype` (UTM-specific), leaving VPN, FSSO, FortiClient, and system events without ECS action.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `fortinet.firewall.action` → `event.action` | yes (**traffic** only) | yes | `accept`, `deny`, `close`, `start`, `server-rst`, `client-rst` | no | `traffic.yml:8-12` `set` when `type=traffic`; deny/accept/close fixtures |
+| `fortinet.firewall.eventtype` → `event.action` | yes (**utm**/**dns**, fallback) | yes | `app-ctrl-all`, `dns-query`, `dns-response`, `signature`, `ssl-anomalies`, `infected`, `dlp` | no | `default.yml:375-380` rename when `ctx.event?.action == null`; `sample_event.json`, UTM fixtures |
+| Static `"login"` → `event.action` | yes (**login** sub-pipeline) | yes | `login` | no | `login.yml:8-12`; SSH/HTTPS admin login fixtures |
+| `fortinet.firewall.action` (retained, **event** type) | **no** | n/a | `FSSO-logon`, `FSSO-logoff`, `negotiate`, `tunnel-up`, `add`, `auth-logon`, `perf-stats` | **yes** | Vendor field populated in `type=event` fixtures; never copied to `event.action` — event pipeline (`event.yml`) does not set action |
+| `fortinet.firewall.action` (retained, **utm** outcome) | partial | partial | `pass`, `block`, `blocked`, `detected`, `dropped`, `exempt`, `passthrough` | partial | Session/UTM **outcome** on same field name as traffic session action; drives `event.type`/`event.outcome` in `utm.yml` but not `event.action` when `eventtype` already set |
+| `fortinet.firewall.subtype` | no | n/a | — | no | Log sub-category (`forward`, `vpn`, `app-ctrl`, `user`); complements action, not a substitute |
+| `fortinet.firewall.logdesc` → `rule.description` | no | n/a | — | partial | Human-readable event summary (e.g. "FSSO logon authentication status"); useful display, not normalized action |
+| `event.type` / `event.category` / `event.outcome` | n/a | partial | Derived (`allowed`, `denied`, `connection`, `authentication`, …) | no | Enrichment keyed on action fields; do not substitute for `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `log` — traffic (`type=traffic`) | yes | yes | `fortinet.firewall.action` | high | `traffic.yml:8-12`; accept/deny/close in all traffic fixture files |
+| `log` — UTM/DNS (`type=utm`/`dns`) | yes | yes (via `eventtype` rename) | `fortinet.firewall.eventtype` | high | `default.yml:375-380`; `sample_event.json` (`app-ctrl-all`); dns-query/signature/ssl fixtures |
+| `log` — login (message-triggered) | yes | yes | static `login` | high | `login.yml:8-12`; SSH/HTTPS login fixtures in `test-fortinet.log-expected.json` |
+| `log` — event (`type=event`) | **no** (fixtures) | **no** | `fortinet.firewall.action` | high | FSSO-logon, negotiate, tunnel-up, add, auth-logon in vendor field only; `eventtype` rename never fires (field absent on event logs) |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Flow originator (internal endpoint) | host | — | high | `source.ip`, `source.port`, `source.mac`, `source.bytes`/`source.packets` ← `srcip`/`srcport`/`srcmac`/`sentbyte`/`sentpkt` (`traffic.yml`, `utm.yml`); deny/accept/close samples in `test-fortinet.log-expected.json` | **`traffic`**, **`utm`/`dns`** — default actor for forward/local traffic |
+| Source hostname | host | — | high | `host.name` ← lowercase `fortinet.firewall.srcname` (`default.yml`); `HOSTNAME-FOR-PC` → `hostname-for-pc` in traffic deny fixture (`test-fortinet.log-expected.json`) | **`traffic`** — enriches source-side endpoint; also in `related.hosts` |
+| Identity-aware flow user | user | — | high | `source.user.name` ← `user` or `unauthuser`; `source.user.group.name` ← `group` (`traffic.yml`, `utm.yml`); `elasticuser`/`elasticuser2` in webfilter/app-ctrl/SSL fixtures; Kerberos `unauthuser="USER-NAME"` → `source.user.name` in traffic deny fixture | **`traffic`**, **`utm`/`dns`** — authenticated or passively identified user on the initiating side |
+| VPN remote client | host | — | high | After `remip`/`locip` swap (`event.yml` script): remote peer → `source.ip`/`source.port`; IPsec negotiate and SSL tunnel-up samples (`test-fortinet.log-expected.json`, `test-fortinet-7-4.log-expected.json`) | **`event`** (`subtype=vpn`) — swap makes remote client the actor |
+| VPN XAuth user | user | — | high | `source.user.name` ← `fortinet.firewall.xauthuser` when `subtype=vpn` (`event.yml`); `someuser` on SSL tunnel-up, `user1` on IPsec tunnel-stats (`test-fortinet.log-expected.json`, `test-fortinet-7-4.log-expected.json`) | **`event`** (`subtype=vpn`) — explicit VPN user identity when XAuth is set |
+| FSSO / user logon-off subject | user | — | high | `source.user.name` ← `user`; `source.ip` ← `srcip` (`event.yml`); FSSO-logon `elasticouser`, FSSO-logoff `elasticadmin` fixtures | **`event`** (`subtype=user`, actions `FSSO-logon`/`FSSO-logoff`/`auth-logon`/`auth-logout`) |
+| FortiClient connecting user | user | — | high | `source.user.name` ← `user` (`event.yml`); `skubas`/`elastico` on FortiClient add/close (`test-fortinet-7-4.log-expected.json`, `test-fortinet.log-expected.json`) | **`event`** (`subtype=endpoint`) — user is actor; endpoint device is target (vendor fields) |
+| Administrator / portal login user | user | — | high | `user.name`, `source.user.name` ← dissected from message or `fortinet.firewall.user`; `user.roles`/`source.user.roles` ← `adminprof` or role prefix (`login.yml`, `default.yml`); `philipp`/`Super_User` successful login, SSH/HTTPS failure fixtures | **`login`** (message-triggered sub-pipeline) and **`event`** (`subtype=system` with login desc) |
+| Admin login client endpoint | host | — | high | `source.ip`, `source.port` from message dissect or `userfrom="JSON(192.168.0.10)"` dissect (`login.yml`); `192.168.0.10` in successful login fixture | **`login`** |
+| HTTP client user-agent | general | http_client | moderate | `user_agent.original` ← `fortinet.firewall.agent` (`utm.yml`); `curl/7.47.0` in virus sample (`test-fortinet-7-4.log-expected.json`) | **`utm`** — client software context, not a security principal |
+| Email sender (filter subtypes) | general | email_sender | moderate | `email.from.address`/`email.sender.address` ← `from`/`sender` (`utm.yml`); pipeline only, no fixture | **`utm`** (email-filter subtypes) |
+
+System/HA/update/perf events (`subtype=system`, `update`, `perf-stats`) often have no distinct human actor beyond the logging **`observer.*`** appliance identity.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.ip`, `source.port`, `source.mac` | Flow/VPN client endpoint | yes | yes | high | `traffic.yml`, `utm.yml`, `event.yml`; populated in traffic/UTM/VPN fixtures |
+| `source.user.name` | Identity-aware flow user, VPN XAuth user, FSSO/user auth subject | yes | yes | high | ← `user`/`unauthuser` (`traffic.yml`, `utm.yml`); ← `xauthuser` when `subtype=vpn` (`event.yml`); FSSO-logon fixture |
+| `source.user.group.name` | User group on flow/VPN | yes | yes | high | ← `group` (`traffic.yml`, `utm.yml`, `event.yml`); `elasticgroup`/`somegroup` in fixtures |
+| `source.user.roles` | Admin profile / dissected role | yes | yes | high | ← `adminprof` or grok `_tmp.user.roles` (`login.yml`); `Super_User`, `Administrator` in login fixtures |
+| `user.name` | Canonical admin/flow user copy | yes | yes | high | Copied from `source.user.name` in `default.yml`; set from dissect in `login.yml` |
+| `user.roles` | Admin profile | yes | yes | high | ← `fortinet.firewall.adminprof` (`login.yml`) |
+| `host.name` | Source-side hostname | yes | partial | high | ← lowercase `srcname` (`default.yml`); maps source hostname, not a generic host actor field per ECS |
+| `user_agent.original` | HTTP client software | yes | yes | moderate | ← `agent` (`utm.yml`) |
+| `related.user` | Enrichment array | yes | yes | high | Appends `source.user.name` and `destination.user.name` (`default.yml:747-755`) |
+| `fortinet.firewall.unauthusersource` | Kerberos/passive ID source | yes (vendor) | n/a | moderate | Retained vendor field; `kerberos` on traffic deny with `unauthuser` fixture |
+| `fortinet.firewall.authserver` | External auth server name on UTM flows | yes (vendor) | n/a | moderate | Present in webfilter fixtures (`elasticauth`); not mapped to ECS actor |
+| `fortinet.firewall.xauthuser` | VPN XAuth username (vendor copy) | yes (vendor) | n/a | high | Also copied to `source.user.name` for `subtype=vpn`; tunnel-stats fixture |
+| `observer.name`, `observer.serial_number`, `observer.product`, `observer.vendor`, `observer.type` | Logging FortiGate appliance | yes | yes | high | Set in `default.yml`; all fixtures — observer identity, not the human actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 2 — Resource / object | Session remote peer (IP/MAC/NAT) | Remote host / server | host | — | high | `destination.ip`, `destination.port`, `destination.mac`, `destination.nat.ip`, `destination.address` ← `dstname` (`traffic.yml`, `utm.yml`, `event.yml`); forward allow/deny/UTM samples | **`traffic`**, **`utm`/`dns`** — network peer; primary Layer 2 target for flows |
+| 2 — Resource / object | Inspected application / protocol | Network service | service | — | high | `network.application`, `network.protocol`, `network.transport` ← `app`/`service`/`proto` (`traffic.yml`, `utm.yml`); Skype/HTTPS/DNS/SSL samples | **`traffic`**, **`utm`/`dns`** |
+| 2 — Resource / object | Destination-side user identity on flow | Remote/unauth user | user | — | moderate | `destination.user.name` ← `dstunauthuser` (`traffic.yml:115-117`); appended to `related.user` (`default.yml:752-755`); **no pipeline fixture** | **`traffic`** only — de-facto target user when FortiOS reports destination-side unauthenticated identity |
+| 2 — Resource / object | VPN local firewall endpoint (post-swap) | FortiGate VPN interface | host | — | high | After `remip`/`locip` swap: local endpoint → `destination.ip`/`destination.port` (`event.yml`); IPsec negotiate where remip≠locip | **`event`** (`subtype=vpn`) |
+| 2 — Resource / object | VPN tunnel resource | VPN tunnel | service | — | high | `fortinet.firewall.vpntunnel`, `fortinet.firewall.tunnelip`, `fortinet.firewall.tunneltype`, `fortinet.firewall.tunnelid` (`event.yml`; vendor-retained); tunnel-up, tunnel-stats, IPsec progress logs | **`event`** (`subtype=vpn`) |
+| 2 — Resource / object | FortiClient managed endpoint | Endpoint device | host | — | high | `fortinet.firewall.name`, `fortinet.firewall.ip`, `fortinet.firewall.fctuid` (vendor-only); `VAN-200957-PC`/`skubas` FortiClient add/close fixtures | **`event`** (`subtype=endpoint`) — user is actor, endpoint is target |
+| 2 — Resource / object | FortiGate management plane (admin access target) | Management service | service | — | high | `destination.ip` on admin login events where `dstip` present (`event.yml`, login context); SSH/HTTPS login failure samples with `dstip=10.123.26.24x` | **`login`**, auth-related **`event`** |
+| 2 — Resource / object | Config / address objects | Address or group | host | — | moderate | `fortinet.firewall.addr`, `fortinet.firewall.addrgrp`, `destination.address` ← `daddr`/`dst_host` (`event.yml`); sparse fixture coverage | **`event`** (`subtype=system` config changes) |
+| 2 — Resource / object | External auth / FSSO server | Auth server | general | auth_server | moderate | `fortinet.firewall.authserver`, `fortinet.firewall.server` (vendor-only); FSSO-logon `server="elasticserver"` fixture | **`event`** (`subtype=user`), **`utm`** (`authserver` on identity-aware flows) |
+| 3 — Content / artifact | Web destination URL | HTTP URL | general | url | high | `url.domain`, `url.path`, `url.full` ← `hostname`/`url` (`utm.yml`, `traffic.yml`); dailymotion, elastic.co, proxy-policy deny with `url=` | **`utm`/`dns`**, proxy-policy **`traffic`** |
+| 3 — Content / artifact | DNS query / response | DNS name | general | dns_name | high | `dns.question.name`, `dns.resolved_ip`, `dns.question.type` (`utm.yml`); dns-query/dns-response fixtures | **`utm`** (`subtype=dns`) |
+| 3 — Content / artifact | Antivirus / DLP file | File object | general | file | high | `file.name`, `file.size`, `file.extension` ← `filename`/`infectedfilename`/`matchedfilename` (`utm.yml`); `eicar.com` virus fixture | **`utm`** (antivirus/DLP subtypes) |
+| 3 — Content / artifact | Email recipient | Mailbox user | user | — | moderate | `email.to.address` ← `recipient`/`dstcollectedemail` (`utm.yml`, `traffic.yml`); pipeline only | **`utm`** (email-filter), **`traffic`** (collected email) |
+| 3 — Content / artifact | TLS server certificate | X.509 cert | general | tls_certificate | moderate | `tls.server.x509.*`, `tls.server.issuer` ← `scertcname`/`scertissuer` (`utm.yml`); `sample_event.json`, SSL anomaly samples | **`utm`** (SSL inspection) |
+
+Layer 1 (invoked cloud/SaaS platform) does not apply — FortiGate is on-premises/network-edge telemetry, not a cloud API audit log. System/update/HA events target the FortiGate itself (`observer.name`, `observer.serial_number`) with no separate ECS target entity.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `destination.ip`, `destination.port`, `destination.mac`, `destination.nat.ip` | 2 | host | yes | partial | context-only (network peer) | no | ← `dstip`/`dstport`/`dstmac`/`tranip` (`traffic.yml`, `utm.yml`); network session far-end — correct for flow semantics, not audit `host.target.*` |
+| `destination.address` | 2 | host | yes | partial | `host.target.name` | yes | ← `dstname`/`daddr`/`dst_host` (`traffic.yml`, `event.yml`); hostname/FQDN of peer — de-facto host target name |
+| `destination.domain` | 2 | host | yes | partial | `host.target.name` | yes | ← `tls.client.server_name` via SNI (`utm.yml:528-533`); remote server name on UTM flows |
+| `destination.user.name` | 2 | user | yes (pipeline) | yes | `user.target.name` | **yes** | ← `fortinet.firewall.dstunauthuser` (`traffic.yml:115-117`); **de-facto Layer 2 user target** — destination-side unauthenticated identity on identity-aware traffic policies; appended to `related.user` (`default.yml:751-755`); **listed in `destination_identity_hits.csv`**. **No test fixture** includes `dstunauthuser`; mapping is pipeline-proven only |
+| `destination.user.email` | 2 | user | no | n/a | `user.target.email` | **yes** | Declared in `ecs.yml`; **never populated** — `fortinet.firewall.dstcollectedemail` maps to `email.to.address` instead (`traffic.yml:105-108`, `utm.yml`) |
+| `destination.user.group.name` | 2 | user | no | n/a | `user.target.group.name` | yes | Declared in `ecs.yml`; no pipeline mapping; no vendor `dstgroup` rename found |
+| `fortinet.firewall.dstunauthusersource` | 2 | user | yes (vendor) | n/a | context / `user.target.*` | partial | Vendor field in `fields.yml`; passive-ID source for destination-side user (analogous to `unauthusersource` on source); not ECS-mapped |
+| `network.application`, `network.protocol`, `network.transport` | 2 | service | yes | yes | `service.target.name` | yes | ← `app`/`service`/`proto` (`traffic.yml`, `utm.yml`); inspected application layer |
+| `url.*` | 3 | general | yes | yes | context-only | no | `uri_parts`/`hostname`/`url` (`utm.yml`, `traffic.yml`); web content artifact |
+| `dns.question.name`, `dns.resolved_ip` | 3 | general | yes | yes | context-only | no | ← `qname`/`ipaddr` (`utm.yml`); DNS filter content |
+| `file.name`, `file.size`, `file.extension` | 3 | general | yes | yes | context-only | no | ← `filename`/`infectedfilename`/`matchedfilename` (`utm.yml`) |
+| `email.to.address` | 2/3 | user | yes | yes | `user.target.email` | yes | ← `recipient`/`dstcollectedemail` (`utm.yml`, `traffic.yml`); email recipient as de-facto user target |
+| `tls.server.x509.*`, `tls.server.issuer` | 3 | general | yes | yes | context-only | no | ← `scertcname`/`scertissuer`/cert fields (`utm.yml`) |
+| `fortinet.firewall.vpntunnel`, `.tunnelip`, `.tunneltype`, `.tunnelid`, `.assignip` | 2 | service | yes (vendor) | n/a | `service.target.name` | yes | Vendor-retained VPN tunnel identity; tunnel-up/tunnel-stats fixtures |
+| `fortinet.firewall.name`, `.ip`, `.fctuid` | 2 | host | yes (vendor) | n/a | `host.target.name` | yes | FortiClient endpoint target; add/close fixtures (`test-fortinet-7-4.log-expected.json`) |
+| `fortinet.firewall.addr`, `.addrgrp` | 2 | host | yes (vendor) | n/a | `entity.target.id` | yes | Config-change address/group objects (`event.yml`); vendor-only |
+| `fortinet.firewall.authserver`, `.server` | 2 | general | yes (vendor) | n/a | `service.target.name` | yes | External auth/FSSO server reference; not ECS-mapped |
+| `fortinet.firewall.slatargetid` | 2 | general | yes (vendor) | n/a | `entity.target.id` | yes | SLA target ID in fields.yml / `test-fortinet-7-4.log-expected.json`; vendor-only |
+| `observer.name`, `observer.serial_number` | — | host | yes | n/a | context-only | no | Logging appliance identity (`default.yml`); observer, not acted-upon target |
+
+### Gaps and mapping notes
+
+- **No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`** — target-fields audit confirms zero mapped official target fields; enhancement priority is **`strong_candidate`**.
+- **`destination.user.*` de-facto target analysis:**
+  - **`destination.user.name`** ← `fortinet.firewall.dstunauthuser` (`traffic.yml:115-117`) is the **only populated `destination.user.*` field**. Semantically it is a **de-facto Layer 2 user target**: the destination-side unauthenticated user identity FortiOS reports on identity-aware **traffic** policies (reverse/internal flows), **not** a network-flow far-end IP. Distinct from actor-side `source.user.name` ← `user`/`unauthuser`. **`Mapping correct? yes`** for audit-target semantics when populated. **`Enhancement candidate: yes`** → migrate to `user.target.name`. Listed in **`destination_identity_hits.csv`** (lines 94–95). **No test fixture** includes `dstunauthuser`; evidence is pipeline-only.
+  - **`destination.user.email`** — declared in `ecs.yml` but **never populated**. `fortinet.firewall.dstcollectedemail` routes to **`email.to.address`** (`traffic.yml:105-108`) instead — email recipient semantics overlap with user-target email; consider dual-mapping to `user.target.email`.
+  - **`destination.user.group.name`** — declared in `ecs.yml`; **no pipeline mapping** and no vendor rename found.
+  - **`related.user`** aggregates both actor (`source.user.name`) and de-facto target user (`destination.user.name`) without role distinction (`default.yml:745-755`) — useful for correlation but obscures actor vs target analytics.
+- **`event.action` gaps — `type=event` logs:** `fortinet.firewall.action` carries rich operational verbs (`FSSO-logon`, `negotiate`, `tunnel-up`, `add`, `auth-logon`, `perf-stats`, …) but the pipeline never copies them to `event.action`. Only the **`eventtype` → `event.action`** fallback exists (`default.yml:375-380`), which UTM logs use but event logs lack. **Recommended enhancement:** `set` or `rename` `fortinet.firewall.action` → `event.action` in `event.yml` (or default pipeline for `type=event`) when `event.action` is null — same pattern as `traffic.yml`.
+- **Dual `action` semantics on UTM:** `event.action` holds the UTM module event name (`eventtype`, e.g. `app-ctrl-all`) while `fortinet.firewall.action` retains session outcome (`pass`, `block`, `detected`). Both are valid; do not collapse into one field without preserving outcome in `event.type`/`event.outcome`.
+- **`host.name`** maps **`srcname`** (source-side hostname) — actor-side enrichment, not a target field; do not interpret as `host.target.*`.
+- **`source.user.name`** from `unauthuser` on Kerberos-identified flows (`unauthusersource="kerberos"`) is the **actor** (initiating user), correctly distinct from **`destination.user.name`** (`dstunauthuser`) for reverse-destination identity.
+- **VPN `remip`/`locip` swap** (`event.yml`) inverts source/destination: remote client becomes actor (`source.*`), local FortiGate VPN endpoint becomes `destination.ip` — network-context destination, semantically the VPN service endpoint rather than an external target host.
+- **Admin login** events populate actor (`user.name`, `source.ip`) and `event.action: login`, but the accessed management plane is only partially captured as `destination.ip` when `dstip` is present; **`observer.*`** represents the FortiGate appliance, not the admin's target service.
+- **Vendor-only target identity** retained under `fortinet.firewall.*`: VPN tunnel metadata, FortiClient endpoint (`name`/`ip`/`fctuid`), config objects (`addr`/`addrgrp`), auth servers (`authserver`/`server`), SLA target ID — best sources for future ECS target migration.
+- **Alignment with target-fields audit:** `strong_candidate` with `pipeline_dest_identity=true` and `pipeline_actor=true` matches evidence — rich flow/auth actor identity via `source.user.*`, single de-facto `destination.user.name` target mapping, zero official `*.target.*` fields, strong fixture coverage except `dstunauthuser`.
+
+### Per-stream notes
+
+#### `log` — traffic (`fortinet.firewall.type=traffic`)
+
+Default actor is the **flow originator** (`source.ip`, optional `source.user.name`, `host.name`). Primary target is the **session peer** (`destination.ip`/`port`) and **inspected service** (`network.application`). **`event.action`** ← `fortinet.firewall.action` records session lifecycle (`accept`, `deny`, `close`, …). **`destination.user.name`** ← `dstunauthuser` is the de-facto destination-side user target when FortiOS reports it on reverse/internal identity-aware flows — the primary **`destination.user.*`** audit-target field for this integration. Proxy-policy traffic may add **`url.*`** as Layer 3 content.
+
+#### `log` — UTM / DNS (`type=utm` or `type=dns`)
+
+Same flow actor/target pattern as traffic. **`event.action`** ← `fortinet.firewall.eventtype` (e.g. `app-ctrl-all`, `dns-query`, `signature`) via default-pipeline fallback; **`fortinet.firewall.action`** retains pass/block outcome separately. UTM adds Layer 3 targets: **`url.*`**, **`dns.question.name`**, **`file.*`**, **`tls.server.x509.*`**, and email-filter **`email.to.address`**. Identity-aware UTM populates **`source.user.name`** and retains **`fortinet.firewall.authserver`** vendor-side. No **`destination.user.*`** mapping in UTM pipeline — destination user identity is traffic-only.
+
+#### `log` — event (`type=event`)
+
+Semantics vary by **`subtype`**: **`vpn`** — remote client actor after IP swap, tunnel resource as vendor target, **`fortinet.firewall.action`** (`negotiate`, `tunnel-up`) unmapped to `event.action`; **`user`** — FSSO/auth logon subject as actor, actions (`FSSO-logon`, `auth-logon`) vendor-only; **`endpoint`** — FortiClient user as actor, endpoint device as vendor target; **`system`**/**`update`** — often no human actor, FortiGate itself is contextual target. **`event.action` gap** is largest here — operational verbs exist in vendor `action` but not ECS.
+
+#### `log` — login (message-triggered sub-pipeline)
+
+True admin authentication audit: **administrator user** actor (`user.name`, `user.roles`), **client host** (`source.ip`), **`event.action: login`** (static). Target is the **FortiGate management plane** (partially `destination.ip`). Distinct from flow-level `source.user.name` on traffic logs.
+
+## Example Event Graph
+
+Examples below come from the single **`fortinet_fortigate.log`** data stream. Traffic and UTM events are audit-adjacent network telemetry (firewall/UTM decisions); the admin **login** example is a true authentication audit log.
+
+### Example 1: Firewall traffic denied
+
+**Stream:** `fortinet_fortigate.log` · **Fixture:** `packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json`
+
+```
+Host (10.10.10.10) → deny → Remote host (67.43.156.13:161, snmp)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 10.10.10.10 |
+| type | host |
+| ip | 10.10.10.10 |
+
+**Field sources:**
+- `id` ← `source.ip`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | deny |
+| source_field | `event.action` |
+| source_value | deny |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 67.43.156.13 |
+| name | snmp |
+| type | service |
+| ip | 67.43.156.13 |
+| geo | Bhutan |
+
+**Field sources:**
+- `id` ← `destination.ip`
+- `name` ← `network.protocol` (mapped from FortiOS `service="SNMP"`)
+- `ip` ← `destination.ip`
+- `geo` ← `destination.geo.country_name`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 10.10.10.10"] --> E["deny"]
+  E --> T["Target: 67.43.156.13 snmp"]
+```
+
+### Example 2: Web filter blocks denied URL category
+
+**Stream:** `fortinet_fortigate.log` · **Fixture:** `packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json`
+
+```
+User (elasticuser, 192.168.2.1) → ftgd_blk → URL (elastic.co/config/)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | elasticuser |
+| type | user |
+| ip | 192.168.2.1 |
+
+**Field sources:**
+- `name` ← `source.user.name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ftgd_blk |
+| source_field | `event.action` |
+| source_value | ftgd_blk |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | elastic.co/config/ |
+| type | general |
+| sub_type | url |
+| ip | 67.43.156.13 |
+| geo | Bhutan |
+
+**Field sources:**
+- `name` ← `url.domain`, `url.path`
+- `ip` ← `destination.ip` (remote web server peer on the blocked HTTPS session)
+- `geo` ← `destination.geo.country_name`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: elasticuser"] --> E["ftgd_blk"]
+  E --> T["Target: elastic.co/config/"]
+```
+
+### Example 3: Administrator login to FortiGate
+
+**Stream:** `fortinet_fortigate.log` · **Fixture:** `packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json`
+
+```
+User (philipp, 192.168.0.10) → login → FortiGate management (firewallhost01)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | philipp |
+| type | user |
+| ip | 192.168.0.10 |
+
+**Field sources:**
+- `name` ← `user.name`, `source.user.name`
+- `ip` ← `source.ip` (dissected from message `userfrom="JSON(192.168.0.10)"`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | login |
+| source_field | `event.action` |
+| source_value | login |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | firewallhost01 |
+| type | service |
+
+**Field sources:**
+- `name` ← `observer.name` (FortiGate appliance management plane accessed by the admin session; fixture has no `destination.ip`)
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: philipp"] --> E["login"]
+  E --> T["Target: firewallhost01"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (single `log` data stream from `manifest.yml`). Router: **`data_stream.dataset == "fortinet_fortigate.log"`** with secondary **`fortinet.firewall.type`** (`traffic`, `utm`, `dns`, `event`) and **`event.action == "login"`** for admin auth. Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first; every output column uses preserve-first `CASE` with valid arity — **3-arg** `CASE(col IS NOT NULL, col, fallback)` or **5-arg** `CASE(exists_flag, col, boolean_condition, fallback, null)` (never 4-arg with a bare field as the third argument). No ECS `*.target.*` fields are populated at ingest today; fallbacks lift de-facto **`destination.*`** / vendor fields into `host.target.*`, `user.target.*`, `service.target.*`, and `entity.target.*`. **`destination.user.name`** maps to **`user.target.name`** in the fallback branch only (traffic, `dstunauthuser`). Admin **login** → **`service.target.name`** from `observer.name` (Pass 3), not self-referential user.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `fortinet_fortigate.log` (traffic) | firewall session | user, host | host, service, user (dst) | full |
+| `fortinet_fortigate.log` (utm/dns) | UTM/IPS | user, host | host, service, general (url/file) | partial |
+| `fortinet_fortigate.log` (event) | VPN/auth/system | user, host | host, service | partial |
+| `fortinet_fortigate.log` (login) | admin auth | user, host | service | full |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.name` | `user.name` | `user.name IS NOT NULL` | high | **preserve existing** — column-level; `actor_exists` excludes `source.user.name` so flow identity can fall through |
+| `user.name` | `source.user.name` | `data_stream.dataset == "fortinet_fortigate.log" AND source.user.name IS NOT NULL` | high | **vendor fallback** — flow/VPN/FSSO/admin when `user.name` empty |
+| `host.ip` | `source.ip` | `data_stream.dataset == "fortinet_fortigate.log" AND source.ip IS NOT NULL` | high | **vendor fallback** — flow/VPN client endpoint |
+| `host.name` | `host.name` ← `fortinet.firewall.srcname` | `fortinet.firewall.type == "traffic"` | high | **ingest-only — no ES|QL** — pipeline sets `host.name`; no alternate query-time source |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `service.target.name` | `data_stream.dataset == "fortinet_fortigate.log"` | high | **preserve existing** |
+| `service.target.name` | `observer.name` | `data_stream.dataset == "fortinet_fortigate.log" AND event.action == "login"` | high | **semantic fallback** — FortiGate management plane (Pass 3) |
+| `service.target.name` | `network.application` | `data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND network.application IS NOT NULL` | high | **vendor fallback** — inspected application |
+| `service.target.name` | `fortinet.firewall.vpntunnel` | `data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.subtype == "vpn" AND fortinet.firewall.vpntunnel IS NOT NULL` | high | **vendor fallback** — VPN tunnel resource |
+| `host.target.ip` | `host.target.ip` | `data_stream.dataset == "fortinet_fortigate.log"` | high | **preserve existing** |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND destination.ip IS NOT NULL` | high | **de-facto destination.*** network peer |
+| `host.target.name` | `host.target.name` | `data_stream.dataset == "fortinet_fortigate.log"` | high | **preserve existing** |
+| `host.target.name` | `destination.address` | `data_stream.dataset == "fortinet_fortigate.log" AND destination.address IS NOT NULL` | high | **de-facto destination.*** — dstname/FQDN |
+| `host.target.name` | `destination.domain` | `data_stream.dataset == "fortinet_fortigate.log" AND destination.domain IS NOT NULL` | medium | **de-facto destination.*** — TLS SNI on UTM |
+| `user.target.name` | `user.target.name` | `data_stream.dataset == "fortinet_fortigate.log"` | high | **preserve existing** |
+| `user.target.name` | `destination.user.name` | `data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "traffic" AND destination.user.name IS NOT NULL` | medium | **de-facto destination.user.*** → `user.target.name` (`dstunauthuser`); pipeline-only, no fixture |
+| `user.target.email` | `user.target.email` | `data_stream.dataset == "fortinet_fortigate.log"` | high | **preserve existing** |
+| `user.target.email` | `email.to.address` | `data_stream.dataset == "fortinet_fortigate.log" AND email.to.address IS NOT NULL` | high | **de-facto destination.*** email recipient |
+| `entity.target.name` | `entity.target.name` | `data_stream.dataset == "fortinet_fortigate.log"` | high | **preserve existing** |
+| `entity.target.name` | `url.domain` | `data_stream.dataset == "fortinet_fortigate.log" AND url.domain IS NOT NULL` | high | **vendor fallback** — web filter URL target |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "fortinet_fortigate.log"` | high | **preserve existing** — traffic, UTM/DNS, login |
+| `event.action` | `fortinet.firewall.action` | `data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "event" AND fortinet.firewall.action IS NOT NULL` | high | **vendor fallback** — FSSO/VPN/system verbs not copied at ingest |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` checks official actor ECS columns only — **`source.user.name` is excluded** so flow identity on `source.user.*` still falls through to `user.name`. `target_exists` checks official `*.target.*` columns only (ingest does not populate them today).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND source.user.name IS NOT NULL, source.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "fortinet_fortigate.log" AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "event" AND fortinet.firewall.action IS NOT NULL, fortinet.firewall.action,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND event.action == "login", observer.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND network.application IS NOT NULL, network.application,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.subtype == "vpn" AND fortinet.firewall.vpntunnel IS NOT NULL, fortinet.firewall.vpntunnel,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.address IS NOT NULL, destination.address,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.domain IS NOT NULL, destination.domain,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "traffic" AND destination.user.name IS NOT NULL, destination.user.name,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "fortinet_fortigate.log" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND url.domain IS NOT NULL, url.domain,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR host.target.ip IS NOT NULL OR service.target.name IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND source.user.name IS NOT NULL, source.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "fortinet_fortigate.log" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "event" AND fortinet.firewall.action IS NOT NULL, fortinet.firewall.action,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.address IS NOT NULL, destination.address,
+    data_stream.dataset == "fortinet_fortigate.log" AND destination.domain IS NOT NULL, destination.domain,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type == "traffic" AND destination.user.name IS NOT NULL, destination.user.name,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "fortinet_fortigate.log" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND event.action == "login", observer.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.type IN ("traffic", "utm", "dns") AND network.application IS NOT NULL, network.application,
+    data_stream.dataset == "fortinet_fortigate.log" AND fortinet.firewall.subtype == "vpn" AND fortinet.firewall.vpntunnel IS NOT NULL, fortinet.firewall.vpntunnel,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "fortinet_fortigate.log" AND url.domain IS NOT NULL, url.domain,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, fortinet.firewall.type, event.action, user.name, host.ip, host.target.ip, host.target.name, user.target.name, user.target.email, service.target.name, entity.target.name
+```
+
+### Streams excluded
+
+*(none — single dataset with `fortinet.firewall.type` sub-routing)*
+
+### Gaps and limitations
+
+- **`destination.user.name`** (`dstunauthuser`) — pipeline-proven (`traffic.yml`) but **no test fixture**; verify in production before relying on `user.target.name` fallback.
+- **`user.target.email`** — `destination.user.email` never populated; fallback uses `email.to.address` only when present.
+- **`type=event` action fallback** — ES|QL can surface `fortinet.firewall.action`; ingest enhancement still recommended (`event.yml`).
+- **`host.name` ← `srcname`** — **ingest-only**; omitted from actor `EVAL` (no alternate query-time source). Source-side hostname enrichment, not `host.target.*`.
+- **FortiClient endpoint targets** — `fortinet.firewall.name`/`ip`/`fctuid` vendor-only; omitted from ES|QL until ingest maps them.
+- **VPN remip/locip swap** — post-swap `destination.ip` is local FortiGate VPN endpoint, not external target host.
+- **`entity.target.type` / `target.entity.type`** — omitted; stream-level `CASE` routing is sufficient; never emit misnamed `target.entity.type`.
diff --git a/dev/domain/p1/gcp_vertexai.md b/dev/domain/p1/gcp_vertexai.md
new file mode 100644
index 00000000000..e4db3e94d84
--- /dev/null
+++ b/dev/domain/p1/gcp_vertexai.md
@@ -0,0 +1,465 @@
+# gcp_vertexai
+
+## Product Domain (Google Cloud Vertex AI)
+
+Google Cloud Vertex AI is a unified machine learning platform for building, deploying, and operating ML models and generative AI applications at enterprise scale. It consolidates model training, feature management, model registry, batch and online prediction, and MLOps workflows into a single Google Cloud service (`aiplatform.googleapis.com`). Organizations use Vertex AI to host custom models, consume publisher models from Model Garden (including Gemini and other foundation models), and expose them through endpoints for real-time or batch inference.
+
+The platform supports multiple deployment models. Provisioned Throughput provides dedicated capacity for high-volume, latency-sensitive workloads, while pay-as-you-go (shared) serving suits variable or batch workloads. Core resources include endpoints, deployed models, publisher models, and regional locations. Prediction traffic can be routed through methods such as RawPredict, StreamRawPredict, and ChatCompletions, with observability surfaced through Cloud Monitoring metrics and optional request-response logging to BigQuery.
+
+From a security and governance perspective, Vertex AI emits Cloud Audit Logs for API operations such as prediction, token counting, and resource management. These logs capture authentication identity, IAM authorization decisions, request and response metadata, and affected resource names. For generative AI workloads, Vertex AI can export detailed prompt-response interaction logs—including prompts, model outputs, token usage, latency, and safety ratings—to BigQuery for analysis, cost tracking, and compliance review.
+
+The Elastic GCP Vertex AI integration collects Cloud Monitoring metrics, Cloud Audit Logs via Pub/Sub, and prompt-response logs from BigQuery using Elastic Agent. This enables observability teams to monitor model invocation rates, token consumption, latency, and error rates, while security and platform teams can audit API access patterns and inspect generative AI interactions across GCP projects.
+
+## Data Collected (brief)
+
+- **Metrics** (`gcp_vertexai.metrics`): Cloud Monitoring time series for Vertex AI endpoints and Model Garden publisher models, including invocation counts, token and character counts, prediction and first-token latencies, error counts, throughput consumption, and online prediction resource utilization (CPU, memory, network, replicas).
+- **Audit logs** (`gcp_vertexai.auditlogs`): Vertex AI Cloud Audit Logs delivered via Pub/Sub, including API method, authenticated principal, IAM authorization results, request/response payloads, resource names, service metadata, and source IP with user-agent enrichment.
+- **Prompt-response logs** (`gcp_vertexai.prompt_response_logs`): Generative AI interaction records exported to BigQuery, including full request contents (prompts, generation config, safety settings), model responses (candidates, finish reasons, safety ratings), token usage metadata, request latency, model and endpoint identifiers, and request IDs.
+
+## Expected Audit Log Entities
+
+The GCP Vertex AI integration spans three data streams with different actor/target semantics. **`auditlogs`** delivers true Cloud Audit Logs (`type.googleapis.com/google.cloud.audit.AuditLog`) via Pub/Sub with authenticated principals, IAM authorization, and resource names; the pipeline maps identity to ECS `client.user.*`, network context to `source.*` / `user_agent.*`, and appends `related.user` / `related.ip`. **`prompt_response_logs`** are BigQuery-exported generative AI interaction records—audit-adjacent content logs rich in model and prompt/response context but without an authenticated caller principal in schema or samples; the pipeline statically sets `cloud.service.name: vertex-ai`. **`metrics`** are Cloud Monitoring time series with monitored-resource labels, not audit events. **`event.action` is populated on both log streams** — audit logs map GCP `methodName` (e.g. `PredictionService.CountTokens`, `LlmBidiService.BidiGenerateContent`); prompt-response logs copy `api_method` (e.g. `GenerateContent`). **`metrics`** has no per-event action (`event.action` absent; time-bucketed counters only). No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `destination.user.*` / `destination.host.*` fields are populated today. Evidence is from `data_stream/*/fields/fields.yml`, `data_stream/*/sample_event.json`, `data_stream/auditlogs/_dev/test/pipeline/test-vertexai.log-expected.json`, and ingest pipelines. The target-fields audit classified this package as **`strong_candidate`** with pipeline actor mapping on audit logs (`dev/target-fields-audit/out/target_enhancement_packages.csv`: `pipeline_actor=true`, all `ecs_target_tierA_audit` / `pipeline_dest_*` false); no `destination_identity_hits.csv` row.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `google.cloud.aiplatform.internal.PredictionService.CountTokens` | data_access | high | `auditlogs/sample_event.json`, `test-vertexai.log-expected.json` (2 fixtures) | **`auditlogs`** — token-count API call on a publisher model; IAM permission `aiplatform.endpoints.predict` |
+| `google.cloud.aiplatform.v1beta1.LlmBidiService.BidiGenerateContent` | data_access | high | `test-vertexai.log-expected.json` (3 fixtures) | **`auditlogs`** — bidirectional generative content session (Gemini Live); includes aborted (`status.code: 10`) and successful completions |
+| `GenerateContent` | data_access | high | `prompt_response_logs/sample_event.json`: `event.action: GenerateContent`, `api_method: GenerateContent` | **`prompt_response_logs`** — BigQuery-exported generative inference; shorter label than full GCP `methodName` on audit stream |
+| *(no per-event action)* | — | high | `metrics/sample_event.json` — no `event.action`; pipeline renames counters only | **`metrics`** — Cloud Monitoring aggregates (`token_count`, `model_invocation_count`, etc.); dimensions describe the slice, not a single API verb |
+
+Audit **`auditlogs`** actions are full GCP API method names (`protoPayload.methodName`). Prompt-response logs use the shorter **`api_method`** facet from BigQuery export. These can correlate semantically (e.g. `GenerateContent` audit equivalent may appear as a longer `methodName` on the audit stream) but fixture sets do not share a common request ID for join proof.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `json.protoPayload.methodName` → `event.action` | yes | yes | `google.cloud.aiplatform.internal.PredictionService.CountTokens`, `google.cloud.aiplatform.v1beta1.LlmBidiService.BidiGenerateContent` | no | Audit pipeline L98–101: rename to `event.action`; all five `test-vertexai.log-expected.json` events |
+| `gcp.vertexai.prompt_response_logs.api_method` → `event.action` | yes | yes | `GenerateContent` | no | Prompt-response pipeline L36–39: `copy_from` when `api_method` present; `sample_event.json` |
+| `gcp.vertexai.audit.authorization_info[].permission` | no | n/a | `aiplatform.endpoints.predict` | partial | IAM permission evaluated alongside method; supplementary context, not a substitute for `methodName` |
+| `gcp.vertexai.audit.authorization_info[].permission_type` | no | n/a | `DATA_READ` | no | Access class facet on audit fixtures; describes permission category, not the API operation |
+| `log.logger` (audit log name suffix) | no | n/a | `cloudaudit.googleapis.com%2Fdata_access` | no | Distinguishes data-access vs admin-activity audit streams; log taxonomy, not per-call action |
+| `event.type` / `event.category` | partial | partial | `[access, allowed]` / `[network, configuration]` (intended) | partial | Audit pipeline L154–165 appends when single `authorization_info` entry — but runs **before** `authorizationInfo` rename (L309–311), so fixtures omit these fields; ordering fix needed for outcome facets |
+| `event.action` | yes (log streams) | yes | see rows above | no | Populated on **`auditlogs`** and **`prompt_response_logs`**; absent on **`metrics`** |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `auditlogs` | yes | yes | `protoPayload.methodName` → `event.action` | high | `auditlogs/elasticsearch/ingest_pipeline/default.yml` L98–101; `sample_event.json`, `test-vertexai.log-expected.json` |
+| `prompt_response_logs` | yes | yes | `gcp.vertexai.prompt_response_logs.api_method` → `event.action` | high | `prompt_response_logs/elasticsearch/ingest_pipeline/default.yml` L36–39; `sample_event.json` |
+| `metrics` | no | no | — (no per-event action) | high | `metrics/elasticsearch/ingest_pipeline/default.yml` — counter renames only; `metrics/sample_event.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Authenticated human user | user | — | high | `client.user.email` ← `gcp.vertexai.audit.authentication_info.principal_email` in audit pipeline (L291–295); fixtures `pc.cf@elastic.co`, `aff.brgd@elastic.co` in `test-vertexai.log-expected.json` | **`auditlogs`** — Google account email of API caller |
+| Service account principal | user | service_account | high | `client.user.email` + `client.user.id` ← `principal_email` / `principal_subject` (L291–301); e.g. `serviceAccount:matt-adams-gimini-live-app@elastic-abs.iam.gserviceaccount.com` in BidiGenerateContent fixtures | **`auditlogs`** — workload identity for programmatic API calls |
+| Service account key | general | gcp_service_account_key | moderate | `gcp.vertexai.audit.authentication_info.service_account_key_name` (IAM key resource URI); populated in BidiGenerateContent fixtures | **`auditlogs`** — OAuth credential used; supplementary to SA actor |
+| Delegated / third-party identity | user | — | low | `gcp.vertexai.audit.authentication_info.service_account_delegation_info`, `third_party_principal`, `authority_selector` in `auditlogs/fields/fields.yml` | **`auditlogs`** — schema-supported; not populated in current fixtures |
+| API caller (network endpoint) | host | — | high | `source.ip`, `source.geo.*`, `source.as.*` ← `requestMetadata.callerIp` (L222–263); IPv4 and IPv6 callers in fixtures | **`auditlogs`** — client IP of the HTTP/gRPC request; network origin, not a security principal |
+| Client software | general | user_agent | moderate | `user_agent.original` ← `callerSuppliedUserAgent`; parsed device/OS/name (Chrome, Python/websockets) | **`auditlogs`** — application context, not an actor |
+| GCP project (scope) | general | gcp_project | moderate | `cloud.project.id` ← `json.resource.labels.project_id` (audit pipeline L51–53); also on prompt-response samples | **`auditlogs`**, **`prompt_response_logs`** — tenancy scope, not an interactive actor |
+| Integration collector | service | — | low | Elastic Agent GCP credentials in stream config; not indexed on events | Implicit poller for all streams |
+
+**No actor identity in schema or samples:** **`prompt_response_logs`** — no `client.user.*`, `user.*`, or authentication fields; `full_request.contents[].role: user` is conversational turn role, not a GCP principal. **`metrics`** — time-series aggregates only; no caller or user dimensions. **`prompt_response_logs`** `host.*` in `sample_event.json` is Elastic Agent collection metadata, not an event actor.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `client.user.email` | Authenticated principal email | yes | yes | high | Audit pipeline L291–295: `authentication_info.principal_email` → `client.user.email`; fixtures show human and SA emails |
+| `client.user.id` | Principal subject (SA / third-party) | yes | yes | high | Audit pipeline L298–301: `principal_subject` → `client.user.id`; SA fixtures include `serviceAccount:…` form |
+| `gcp.vertexai.audit.authentication_info.principal_email` | Vendor actor email (retained) | yes (vendor) | yes | high | Renamed from protoPayload L72–74; coexists with ECS copy on `client.user.email` |
+| `gcp.vertexai.audit.authentication_info.principal_subject` | Vendor principal subject (retained) | yes (vendor) | yes | high | Renamed L76–78; coexists with ECS copy on `client.user.id` |
+| `gcp.vertexai.audit.authentication_info.service_account_key_name` | OAuth key credential | yes (vendor) | yes | moderate | Renamed L80–82; supplementary credential facet, not promoted to ECS |
+| `related.user` | Actor cross-reference | partial | partial | moderate | Pipeline L270–274 appends `client.user.email`; not present in current `test-vertexai.log-expected.json` fixtures despite populated `client.user.email` |
+| `related.ip` | Caller IP cross-reference | yes | yes | high | Pipeline L266–269 appends `source.ip`; populated in all audit fixtures |
+| `source.ip` / `source.geo.*` / `source.as.*` | Caller network endpoint | yes | yes | high | Pipeline L222–263 from `callerIp`; geo/ASN enrichment |
+| `user_agent.original` (+ parsed) | Client application | yes | yes | moderate | Pipeline L233–238 from `callerSuppliedUserAgent` |
+| `user.id` / `user.*` | Actor identity | no | n/a | — | Not set; audit uses `client.user.*` per ECS Client field set for API callers |
+| `destination.user.*` / `destination.host.*` | De-facto target identity | no | n/a | — | Not used (`destination_identity_hits.csv` has no `gcp_vertexai` row) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Invoked Google Cloud ML API | Vertex AI (`aiplatform.googleapis.com`) | service | — | high | `gcp.vertexai.audit.service_name: aiplatform.googleapis.com` in audit samples; `cloud.service.name: vertex-ai` statically set in prompt-response pipeline (L22–24) | **`auditlogs`** — vendor `service_name` only; **`prompt_response_logs`** — ECS-mapped Layer 1 |
+| 2 — Resource / object | Publisher model or endpoint acted upon | Vertex AI model / endpoint resource | service | — | high | `gcp.vertexai.audit.resource_name`, `authorization_info[].resource` (e.g. `projects/.../publishers/google/models/gemini-2.0-flash-exp`); `gcp.vertexai.prompt_response_logs.model`, `full_request.model` | **`auditlogs`** — IAM-evaluated resource; **`prompt_response_logs`** — consumed model path |
+| 2 — Resource / object | Deployed model / custom endpoint | Deployed model or endpoint ID | service | — | moderate | `gcp.vertexai.prompt_response_logs.deployed_model_id`, `endpoint`, `full_request.endpoint` in field schema; `gcp.labels.resource.endpoint_id`, `gcp.labels.metrics.deployed_model_id` on metrics | **`prompt_response_logs`** — absent in `sample_event.json`; **`metrics`** — label dimensions for endpoint slices |
+| 2 — Resource / object | IAM authorization evaluation | Resource + permission pair | service | — | high | `gcp.vertexai.audit.authorization_info[].resource`, `.permission` (e.g. `aiplatform.endpoints.predict`), `.granted` driving `event.type` | **`auditlogs`** — allow/deny outcome on the accessed resource |
+| 3 — Content / artifact | Generative AI interaction instance | Request / response pair | general | ai_request | high | `gcp.vertexai.prompt_response_logs.request_id`, `full_response.response_id` | **`prompt_response_logs`** — correlatable with **`auditlogs`** via timing/project, not a shared ID in fixtures |
+| 3 — Content / artifact | Prompt and completion content | Prompt / model output text | general | ai_content | high | `full_request.contents[].parts[].text`, `full_response.candidates[].content.parts[].text`; token usage under `full_response.usage_metadata` | **`prompt_response_logs`** — compliance and safety review artifacts |
+| 3 — Content / artifact | Model version facet | Model version string | general | model_version | high | `gcp.vertexai.prompt_response_logs.model_version`; `full_response.model_version` (e.g. `gemini-2.5-pro`) | **`prompt_response_logs`** — version dimension of Layer 2 model |
+| 3 — Content / artifact | Time-bucket metric aggregate | Cloud Monitoring slice | general | usage_bucket | high | `@timestamp`, `metricset.period`, `gcp.vertexai.publisher.*` / `gcp.vertexai.prediction.online.*` counters; label dimensions `gcp.labels.resource.*`, `gcp.labels.metrics.*` | **`metrics`** — pre-aggregated counters/histograms, not per-invocation audit targets |
+
+**No meaningful audit target:** **`metrics`** individual prediction requests, prompts, or caller principals — metrics expose counts and latency keyed by label dimensions only. Per classification rule 10, model ID and endpoint labels are **aggregation targets**, not per-request audit targets.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `cloud.service.name` | 1 | service | partial | yes | `service.target.name` | yes (auditlogs) | Static `vertex-ai` in prompt-response pipeline L22–24; **`auditlogs`** has vendor `gcp.vertexai.audit.service_name` only (`aiplatform.googleapis.com`) |
+| `service.name` / `service.type` | 1 | service | partial | yes | `service.target.name` | partial | Prompt-response pipeline L27–33 sets `service.name: vertex-ai`, `service.type: ai-platform`; not set on auditlogs or metrics |
+| `gcp.vertexai.audit.service_name` | 1 | service | yes (vendor) | yes | `cloud.service.name` / `service.target.name` | yes | Audit samples and fixtures; canonical invoked API name, not promoted to ECS |
+| `gcp.vertexai.audit.resource_name` | 2 | service | yes (vendor) | yes | `service.target.entity.id` / `gen_ai.request.model.id` | yes | Primary audit target URI (model, endpoint, dataset); e.g. `projects/.../models/gemini-2.0-flash-exp` in `sample_event.json` |
+| `gcp.vertexai.audit.authorization_info[].resource` | 2 | service | yes (vendor) | yes | `service.target.entity.id` | yes | IAM-evaluated resource; mirrors `resource_name` in fixtures |
+| `gcp.vertexai.audit.request.endpoint` / `.setup.model` | 2 | service | yes (vendor) | yes | `gen_ai.request.model.id` | yes | Request payload model path in CountTokens and BidiGenerateContent fixtures |
+| `gcp.vertexai.prompt_response_logs.model` | 2 | service | yes (vendor) | yes | `gen_ai.request.model.id` | yes | e.g. `publishers/google/models/gemini-2.5-pro` in `sample_event.json`; not copied to ECS |
+| `gcp.vertexai.prompt_response_logs.full_request.model` | 2 | service | yes (vendor) | yes | `gen_ai.request.model.id` | yes | Full resource path in prompt-response sample |
+| `gcp.vertexai.prompt_response_logs.model_version` | 3 | general (model_version) | yes (vendor) | yes | `gen_ai.request.model.version` | partial | Version facet; natural ECS home is `gen_ai.request.model.version` |
+| `gcp.vertexai.prompt_response_logs.request_id` | 3 | general (ai_request) | yes (vendor) | yes | context-only | partial | Interaction instance ID; correlate with auditlogs for caller attribution |
+| `gcp.vertexai.prompt_response_logs.full_request.contents` / `full_response.candidates` | 3 | general (ai_content) | yes (vendor) | yes | `gen_ai.prompt` / `gen_ai.completion` | yes | Full prompt/response bodies retained vendor-only; no `gen_ai.*` promotion |
+| `cloud.project.id` / `cloud.account.id` | — | general (gcp_project) | partial | yes | context-only | no | Tenancy scope on audit and prompt-response streams; metrics use `cloud.account.id` |
+| `gcp.labels.resource.model_user_id` / `.endpoint_id` | 2 | service | yes (vendor) | yes | context-only | no | Metrics label dimensions (e.g. `gemini-1.5-flash-002`); aggregation targets, not per-request |
+| `gcp.vertexai.prediction.online.target_replicas` | — | general (capacity_metric) | yes (vendor) | n/a | context-only | no | Capacity metric label per `vendor_target_special_cases.csv`; not an audit target entity |
+| `gen_ai.request.model.id` / `gen_ai.*` | 2–3 | service / general | no | n/a | `gen_ai.request.model.id` | yes | Not set in any pipeline despite rich model and content fields on prompt-response logs |
+| `user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` | — | — | no | n/a | — | no | Not populated (`target_fields_audit.csv` has no `gcp_vertexai` row) |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+
+### Gaps and mapping notes
+
+- **`event.action` well mapped on log streams:** Audit `methodName` → `event.action` (L98–101) and prompt-response `api_method` → `event.action` (L36–39) are correct primary mappings with fixture proof. **`metrics`** appropriately has no action. Optional enhancement: copy `authorization_info[].permission` as a secondary facet or normalize long GCP method names (e.g. strip service prefix) for dashboard grouping — not a gap today.
+- **`event.type` / `event.category` pipeline ordering:** Intended allow/deny outcome facets (L154–165) reference `gcp.vertexai.audit.authorization_info` before the field is renamed from `json.protoPayload.authorizationInfo` (L309–311), so fixtures omit `event.type` / `event.category` despite populated authorization data — fix processor order or source field path.
+- **Strong actor mapping on auditlogs only:** `pipeline_actor=true` in `target_enhancement_packages.csv`; `client.user.email` / `client.user.id` correctly trace to GCP `authenticationInfo` fields. No actor ECS promotion on **`prompt_response_logs`** — correlate `request_id` + project with **`auditlogs`** for caller identity.
+- **Layer 1 gap on auditlogs:** `gcp.vertexai.audit.service_name` holds `aiplatform.googleapis.com` but is not copied to `cloud.service.name` (unlike prompt-response pipeline which statically sets `vertex-ai`). Static pipeline set would close Layer 1 ECS coverage for audit events.
+- **No `gen_ai.*` normalization:** Prompt-response logs retain full model paths, prompts, completions, token usage, and safety ratings under `gcp.vertexai.prompt_response_logs.*` only. Natural enhancement: promote model ID → `gen_ai.request.model.id`, content → `gen_ai.prompt` / `gen_ai.completion`, usage → `gen_ai.usage.*`.
+- **Resource URI not in official target fields:** `resource_name` and `authorization_info[].resource` semantically represent Layer 2 service targets but remain vendor-only. Enhancement candidate for `service.target.entity.id` or `gen_ai.request.model.id`.
+- **`related.user` fixture drift:** Pipeline appends `related.user` from `client.user.email` (L270–274) but current `test-vertexai.log-expected.json` omits `related.user` despite populated `client.user.email` — verify fixture freshness.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, no pipeline maps affected entities to `destination.user.*` or `destination.host.*` (`destination_identity_hits.csv` has no row).
+- **Metrics `target_replicas` is not an audit target:** Renamed from `gcp.metrics.prediction.online.target_replicas.value` (`vendor_target_special_cases.csv`); capacity planning metric, not ECS target semantics.
+- **Conversational `role: user` vs security principal:** `full_request.contents[].role: user` in prompt-response logs is LLM message role; do not map to ECS `user.*` actor fields.
+
+### Per-stream notes
+
+#### auditlogs
+
+Cloud Audit Logs via Pub/Sub (`gcp-pubsub` input). Pipeline promotes `principal_email` → `client.user.email`, `principal_subject` → `client.user.id`, caller IP → `source.ip`, and sets **`event.action`** from `methodName` (e.g. `PredictionService.CountTokens`, `LlmBidiService.BidiGenerateContent`). Actor is best interpreted as **user** (human or service account) plus optional **service_account_key** credential; target is Layer 1 **Vertex AI API** (`service_name`) and Layer 2 **resource** named in `resource_name` / `authorization_info[].resource` (publisher models, endpoints). Data-access log type (`cloudaudit.googleapis.com%2Fdata_access`) dominates fixtures; admin activity logs follow the same field model.
+
+#### prompt_response_logs
+
+BigQuery table export via `gcp/metrics` input with `table_id`. Pipeline renames `gcp.vertexai_logs` → `gcp.vertexai.prompt_response_logs`, sets `cloud.service.name: vertex-ai`, `service.name: vertex-ai`, **`event.action`** from `api_method` (`GenerateContent`), and normalizes nested JSON to snake_case. No ECS actor promotion—security use cases rely on correlating `request_id` with **`auditlogs`**. Target is Layer 1 **Vertex AI** (ECS-mapped), Layer 2 **publisher model**, and Layer 3 **interaction content** (prompts, completions, token usage).
+
+#### metrics
+
+Cloud Monitoring time series for publisher online serving and endpoint online prediction. Pipeline renames `gcp.metrics.*` → `gcp.vertexai.*` counters/histograms. No actor and **no `event.action`** — label dimensions (`gcp.labels.resource.*`, `gcp.labels.metrics.*`) describe which model, endpoint, method, and traffic type the metric slice represents. Per-request audit targets and per-event actions do not apply.
+
+## Example Event Graph
+
+Examples below come from **`auditlogs`** (true Cloud Audit Logs via Pub/Sub) and **`prompt_response_logs`** (BigQuery-exported generative AI interaction records — audit-adjacent content logs without an indexed caller principal). The **`metrics`** stream is time-bucketed Cloud Monitoring counters only; it has no per-event Actor → action → Target chain.
+
+### Example 1: Human user counts tokens on a publisher model
+
+**Stream:** `gcp_vertexai.auditlogs` · **Fixture:** `packages/gcp_vertexai/data_stream/auditlogs/_dev/test/pipeline/test-vertexai.log-expected.json` (event 1)
+
+```
+User (pc.cf@elastic.co) → google.cloud.aiplatform.internal.PredictionService.CountTokens → Publisher model (gemini-2.0-flash-exp)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | pc.cf@elastic.co |
+| name | pc.cf@elastic.co |
+| type | user |
+| geo | Milton, United States |
+| ip | 216.160.83.56 |
+
+**Field sources:**
+- `id` ← `client.user.email`
+- `name` ← `client.user.email`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | google.cloud.aiplatform.internal.PredictionService.CountTokens |
+| source_field | `event.action` |
+| source_value | google.cloud.aiplatform.internal.PredictionService.CountTokens |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | projects/elastic-abs/locations/us-central1/publishers/google/models/gemini-2.0-flash-exp |
+| name | gemini-2.0-flash-exp |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `id` ← `gcp.vertexai.audit.resource_name`, `gcp.vertexai.audit.authorization_info[].resource`
+- `name` ← derived from resource URI tail segment in fixture
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: pc.cf@elastic.co"] --> E["CountTokens"]
+  E --> T["Target: gemini-2.0-flash-exp"]
+```
+
+### Example 2: Service account opens a Gemini Live session
+
+**Stream:** `gcp_vertexai.auditlogs` · **Fixture:** `packages/gcp_vertexai/data_stream/auditlogs/_dev/test/pipeline/test-vertexai.log-expected.json` (event 3)
+
+```
+Service account (matt-adams-gimini-live-app@elastic-abs.iam.gserviceaccount.com) → google.cloud.aiplatform.v1beta1.LlmBidiService.BidiGenerateContent → Publisher model (gemini-2.0-flash-live-preview-04-09)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | serviceAccount:matt-adams-gimini-live-app@elastic-abs.iam.gserviceaccount.com |
+| name | matt-adams-gimini-live-app@elastic-abs.iam.gserviceaccount.com |
+| type | user |
+| sub_type | service_account |
+| geo | Changchun, China |
+| ip | 175.16.199.14 |
+
+**Field sources:**
+- `id` ← `client.user.id`
+- `name` ← `client.user.email`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | google.cloud.aiplatform.v1beta1.LlmBidiService.BidiGenerateContent |
+| source_field | `event.action` |
+| source_value | google.cloud.aiplatform.v1beta1.LlmBidiService.BidiGenerateContent |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | projects/elastic-abs/locations/us-central1/publishers/google/models/gemini-2.0-flash-live-preview-04-09 |
+| name | gemini-2.0-flash-live-preview-04-09 |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `id` ← `gcp.vertexai.audit.resource_name`, `gcp.vertexai.audit.authorization_info[].resource`
+- `name` ← derived from resource URI tail segment in fixture
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: matt-adams-gimini-live-app SA"] --> E["BidiGenerateContent"]
+  E --> T["Target: gemini-2.0-flash-live-preview-04-09"]
+```
+
+### Example 3: Generative content inference (prompt-response log)
+
+**Stream:** `gcp_vertexai.prompt_response_logs` · **Fixture:** `packages/gcp_vertexai/data_stream/prompt_response_logs/sample_event.json`
+
+```
+(no indexed GCP principal) → GenerateContent → Publisher model (gemini-2.5-pro) + interaction (request_id 5374205265901353984)
+```
+
+No authenticated caller is indexed on this stream; correlate `gcp.vertexai.prompt_response_logs.request_id` with **`auditlogs`** for actor attribution.
+
+#### Actor
+
+**Field sources:** no `client.user.*` or `user.*` fields populated in fixture; `full_request.contents[].role: user` is conversational turn role, not a GCP security principal.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | GenerateContent |
+| source_field | `event.action` |
+| source_value | GenerateContent |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | projects/elastic-sa/locations/us-central1/publishers/google/models/gemini-2.5-pro |
+| name | gemini-2.5-pro |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `id` ← `gcp.vertexai.prompt_response_logs.full_request.model`
+- `name` ← `gcp.vertexai.prompt_response_logs.model` (short form: `publishers/google/models/gemini-2.5-pro`); interaction instance `gcp.vertexai.prompt_response_logs.request_id: 5374205265901353984`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: (not indexed)"] --> E["GenerateContent"]
+  E --> T["Target: gemini-2.5-pro"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy templates `GCP Vertex AI Metrics` / `GCP Vertex AI  Logs`, three `data_stream/` dirs with Tier A `sample_event.json` and `auditlogs` `*-expected.json`). Router: **`data_stream.dataset`** (`gcp_vertexai.auditlogs`, `gcp_vertexai.prompt_response_logs`, `gcp_vertexai.metrics` per fixtures). Pass 4 is **fill-gaps-only**: detection flags run first; mapped columns use **column-level** **5-arg** / **7-arg** / **9-arg** `CASE(<col> IS NOT NULL, <col>, <boolean guard>, <fallback>, null)` — never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_vendor_field, null)` (bare field parses as a **condition**) or `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so ingest `service.name` on prompt-response logs does not block `user.id` ← `client.user.id` or `host.ip` ← `source.ip` on empty columns (Pass 4 §10). Ingest maps audit principals to **`client.user.*`** (ECS Client field set), not `user.*` — fallbacks promote `client.user.*` → `user.*` when the output column is null. **`event.action`** is populated on both log streams at ingest (`methodName`, `api_method`); **ingest-only — no ES|QL** action block. **`gcp_vertexai.metrics`** excluded (Cloud Monitoring aggregates). **Pass 4 (tautology cleanup):** no `CASE(col, col, …)`; vendor fallbacks (`client.user.*`, `source.ip`, `gcp.vertexai.audit.*`, `gcp.vertexai.prompt_response_logs.*`) differ from output columns; removed duplicate optional-classification `EVAL`.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `gcp_vertexai.auditlogs` | Cloud Audit Logs | user, host | service | full |
+| `gcp_vertexai.prompt_response_logs` | GenAI interaction logs | — | service, general (ai_request) | partial |
+| `gcp_vertexai.metrics` | Cloud Monitoring | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `client.user.id` | `data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.id IS NOT NULL` | high | **column-level preserve** (`user.id IS NOT NULL`); **vendor fallback** — SA `principal_subject` form in BidiGenerateContent fixtures |
+| `user.name` | `client.user.email` | `data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL` | high | **column-level preserve** (`user.name IS NOT NULL`); **vendor fallback** — human or SA email (`test-vertexai.log-expected.json`) |
+| `user.email` | `client.user.email` | same | high | **column-level preserve**; **vendor fallback** |
+| `host.ip` | `source.ip` | `data_stream.dataset == "gcp_vertexai.auditlogs" AND source.ip IS NOT NULL` | high | **column-level preserve** (`host.ip IS NOT NULL`); **vendor fallback** — API caller network origin (Pass 3 Examples 1–2) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | literal `"Vertex AI"` | `data_stream.dataset == "gcp_vertexai.auditlogs"` | high | **column-level preserve** (`service.target.name IS NOT NULL`); **semantic literal** — Layer 1 platform (Pass 3); not `gcp.vertexai.audit.service_name` |
+| `service.target.name` | `cloud.service.name` | `data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND cloud.service.name IS NOT NULL` | high | **column-level preserve**; **vendor fallback** — `cloud.service.name` → `service.target.name` (`vertex-ai` in `sample_event.json`; distinct from ingest `service.name`) |
+| `service.target.id` | `gcp.vertexai.audit.resource_name` | `data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL` | high | **column-level preserve** (`service.target.id IS NOT NULL`); **vendor fallback** — publisher model / endpoint URI (Pass 3 Examples 1–2) |
+| `service.target.id` | `gcp.vertexai.prompt_response_logs.full_request.model` | `data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.full_request.model IS NOT NULL` | high | **column-level preserve**; **vendor fallback** — full model path (`sample_event.json`) |
+| `entity.target.name` | `gcp.vertexai.prompt_response_logs.model` | `data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL` | high | **column-level preserve** (`entity.target.name IS NOT NULL`); **vendor fallback** — short model name |
+| `entity.target.id` | `gcp.vertexai.prompt_response_logs.request_id` | `data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.request_id IS NOT NULL` | medium | **column-level preserve** (`entity.target.id IS NOT NULL`); **vendor fallback** — correlate with `auditlogs` for caller (Pass 3 Example 3) |
+| `entity.target.sub_type` | literal `"foundation_model"` | both log datasets when model resource fields present | high | **column-level preserve** (`entity.target.sub_type IS NOT NULL`); **semantic literal** — Pass 3 target `sub_type` |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | *(ingest)* | `data_stream.dataset IN ("gcp_vertexai.auditlogs", "gcp_vertexai.prompt_response_logs")` | high | **preserve existing** — `methodName` / `api_method` already copied at ingest; no ES\|QL fallback |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Predicate note:** `actor_exists` intentionally excludes `client.user.*` so audit events with only ECS Client principal fields still receive `user.*` promotion. `target_exists` is typically false today (no ingest `*.target.*`). `action_exists` is true on both log streams after ingest. **Actor/target `EVAL` blocks use column-level `IS NOT NULL` preserve** — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so ingest `service.name` on prompt-response logs does not block `client.user.*` → `user.*` or `source.ip` → `host.ip` when those output columns are empty (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.id IS NOT NULL, user.id, client.user.id, null)` (4 args — `client.user.id` is a **condition**). Wrong: `CASE(actor_exists, user.id, client.user.id, null)` (same). Right: **5-arg** `CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.id IS NOT NULL, client.user.id, null)`. **7-arg** when two dataset fallbacks apply (e.g. `service.target.name` audit literal vs `cloud.service.name`). **9-arg** for `service.target.id` and `entity.target.sub_type`. Detection flags are helpers only — not first `CASE` branches on mapped columns.
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL, client.user.email,
+    null
+  ),
+  user.email = CASE(
+    user.email IS NOT NULL, user.email,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL, client.user.email,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "gcp_vertexai.auditlogs", "Vertex AI",
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL, gcp.vertexai.audit.resource_name,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.full_request.model IS NOT NULL, gcp.vertexai.prompt_response_logs.full_request.model,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL, gcp.vertexai.prompt_response_logs.model,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.request_id IS NOT NULL, gcp.vertexai.prompt_response_logs.request_id,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL, "foundation_model",
+    data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL, "foundation_model",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.id IS NOT NULL, client.user.id, null),
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL, client.user.email, null),
+  user.email = CASE(user.email IS NOT NULL, user.email, data_stream.dataset == "gcp_vertexai.auditlogs" AND client.user.email IS NOT NULL, client.user.email, null),
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "gcp_vertexai.auditlogs" AND source.ip IS NOT NULL, source.ip, null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "gcp_vertexai.auditlogs", "Vertex AI", data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND cloud.service.name IS NOT NULL, cloud.service.name, null),
+  service.target.id = CASE(service.target.id IS NOT NULL, service.target.id, data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL, gcp.vertexai.audit.resource_name, data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.full_request.model IS NOT NULL, gcp.vertexai.prompt_response_logs.full_request.model, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL, gcp.vertexai.prompt_response_logs.model, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.request_id IS NOT NULL, gcp.vertexai.prompt_response_logs.request_id, null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "gcp_vertexai.auditlogs" AND gcp.vertexai.audit.resource_name IS NOT NULL, "foundation_model", data_stream.dataset == "gcp_vertexai.prompt_response_logs" AND gcp.vertexai.prompt_response_logs.model IS NOT NULL, "foundation_model", null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, user.email, host.ip, service.target.name, service.target.id, entity.target.name, entity.target.id, entity.target.sub_type
+```
+
+### Streams excluded
+
+- **`gcp_vertexai.metrics`** — Cloud Monitoring time series; label dimensions (`gcp.labels.resource.*`, `gcp.labels.metrics.*`) are aggregation slices, not per-request audit targets; no `event.action` or caller principal.
+
+### Gaps and limitations
+
+- **Pass 4 tautology cleanup (§10)** — column-level `IS NOT NULL` preserve on all mapped columns; no `CASE(col, col, …)`; `event.action` **ingest-only — no ES|QL**; removed duplicate optional-classification `EVAL` (`entity.target.sub_type` lives in target block only); `cloud.service.name` → `service.target.name` is a cross-field promotion, not identity no-op.
+- **Pass 4 CASE syntax** — combined actor/target blocks and the full pipeline fragment use odd-arity `CASE` (condition/value pairs + trailing `null`); column-level **5-arg** / **7-arg** / **9-arg** preserve (`<col> IS NOT NULL` first branch). Never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_vendor_field, null)` or `CASE(actor_exists|target_exists|action_exists, <col>, …)` where a bare field parses as a boolean condition. Full pipeline fragment aligned with combined `EVAL` blocks.
+- **Unscoped `FROM logs-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset == …` / `IN (…)`), not a top-level `WHERE`.
+- **prompt_response_logs actor gap** — no `client.user.*` / `user.*` in schema or samples; correlate `entity.target.id` (`request_id`) + `cloud.project.id` with **`gcp_vertexai.auditlogs`** for caller identity (Pass 3 Example 3).
+- **`user.domain`** — not indexed; derive from email omitted (low value for SA `serviceAccount:` subjects).
+- **`gen_ai.*` omitted** — prompt/completion/token fields remain vendor-only (`gcp.vertexai.prompt_response_logs.*`); ingest promotion is the preferred fix (Pass 2).
+- **`gcp.vertexai.audit.service_name`** (`aiplatform.googleapis.com`) — not mapped to `service.target.name`; semantic literal `"Vertex AI"` used for Layer 1 (Pass 3 platform target vs API hostname).
+- **`host.target.*` / `user.target.*`** — no de-facto `destination.*` or ingest targets (`destination_identity_hits.csv` has no row).
+- **Conversational `role: user`** in `full_request.contents` — LLM turn role, not a GCP security principal.
+- **Pass 2 alignment** — ingest-time `cloud.service.name` on auditlogs, `gen_ai.request.model.id`, and `*.target.*` remain preferred; Pass 4 fills gaps without overwriting populated values.
diff --git a/dev/domain/p1/gitlab.md b/dev/domain/p1/gitlab.md
new file mode 100644
index 00000000000..9f3497de07e
--- /dev/null
+++ b/dev/domain/p1/gitlab.md
@@ -0,0 +1,595 @@
+# gitlab
+
+## Product Domain
+
+GitLab is a DevSecOps platform that provides source code management, CI/CD pipelines, and integrated security capabilities in a single application. Organizations use GitLab to host Git repositories, manage merge requests and code review workflows, run automated builds and deployments, and enforce security scanning across the software development lifecycle. The platform is structured around hierarchical namespaces (groups and subgroups), projects, users, and roles, with both self-managed (Community Edition and Enterprise Edition) and SaaS (GitLab.com) deployment models.
+
+At its core, GitLab functions as a complete software delivery toolchain. Source code management covers repository hosting, branching, merge requests, and code review. CI/CD capabilities include pipeline configuration, job execution via GitLab Runners, artifact storage, and deployment to environments including Kubernetes and GitLab Pages for static site hosting. Security and compliance features span vulnerability scanning, secret detection, audit logging, access controls, and protected branches or paths. Background processing is handled by Sidekiq workers, while Gitaly provides Git repository storage services.
+
+From a security and operations perspective, GitLab generates extensive structured logs across its Rails web application, REST/GraphQL API, authentication layer, audit subsystem, and background job infrastructure. These logs capture user and administrative activity, configuration changes, API access patterns, authentication anomalies, rate-limiting events, and application performance metrics. Security teams monitor GitLab instances to detect unauthorized access, policy violations, repository exposure changes, and abusive API or Git protocol requests.
+
+The Elastic GitLab integration ingests these server-side log files via Elastic Agent filestream input, parsing JSON-formatted logs into ECS-aligned fields. This enables security operations to correlate GitLab activity with broader SIEM data, investigate audit trails for group and project changes, detect authentication abuse, and monitor API and web application behavior on self-hosted GitLab instances.
+
+## Data Collected (brief)
+
+- **API logs** (`gitlab.api`): HTTP requests to the GitLab REST API, including method, path, route, status, duration, database/Redis/Gitaly performance metrics, correlation IDs, and user/project metadata.
+- **Application logs** (`gitlab.application`): Internal application events such as user creation, project deletion, merge request processing, and worker activity, with caller IDs, feature categories, and user/project context.
+- **Audit logs** (`gitlab.audit`): Changes to group or project settings and memberships, including entity type, target details, author, and before/after values (e.g., visibility changes).
+- **Auth logs** (`gitlab.auth`): Authentication-related events including protected-path abuse, rate-limit violations (Rack Attack), remote IP, request method/path, and rate-limiting gate details.
+- **Pages logs** (`gitlab.pages`): GitLab Pages static site hosting activity, including HTTP request metadata, response status, duration, and daemon events.
+- **Production logs** (`gitlab.production`): Rails web controller requests with action, controller, status, duration, GraphQL query details, and database/Redis performance metrics.
+- **Sidekiq logs** (`gitlab.sidekiq`): Background job execution for long-running or scheduled workers, including job class, queue, duration, retry status, and Gitaly/database call statistics.
+
+## Expected Audit Log Entities
+
+Seven filestream data streams ingest self-hosted GitLab JSON logs. Only **`gitlab.audit`** is a native audit trail (`author_*`, `target_*`, `entity_*`, `change`/`from`/`to`). **`gitlab.application`** is audit-adjacent (lifecycle messages with actor meta). **`gitlab.api`**, **`gitlab.production`**, **`gitlab.auth`**, and **`gitlab.pages`** are HTTP/access telemetry. **`gitlab.sidekiq`** is background job execution. No stream populates ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`; no `destination.user.*` / `destination.host.*` in pipelines (`destination_identity_hits.csv` has no gitlab row). The target-fields audit classifies gitlab as **`moderate_candidate`** with `pipeline_actor=true`, `fixture_strong=true`, and no ECS target tier-A mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is populated only on `gitlab.production`** — pipeline rename `gitlab.production.action` → `event.action` (`production/default.yml` L77–80). All other streams retain vendor operation names under `gitlab.*` or derive coarse `event.type` / `event.outcome` from message grok on **`gitlab.application`** without setting `event.action`. Evidence: `packages/gitlab/data_stream/*/sample_event.json`, `*/_dev/test/pipeline/*-expected.json`, `*/elasticsearch/ingest_pipeline/default.yml`, `*/fields/fields.yml`.
+
+### Event action (semantic)
+
+GitLab logs express operations differently per stream: Rails controller actions on production, Rack Attack gate names on auth, REST route templates on API, Sidekiq job lifecycle on sidekiq, and audit attribute changes on audit. Only production promotes the Rails `action` field to ECS.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `index` | api_call | high | `test-gitlab-production.log-expected.json`: `MetricsController#index`, `RootController#index`, `Dashboard::GroupsController#index` | **`gitlab.production`** — mapped to `event.action` |
+| `activity` | data_access | high | Production fixture: `DashboardController#activity` → `event.action: activity` | **`gitlab.production`** |
+| `execute` | api_call | high | Production fixture: `GraphqlController#execute` with `operation_name: getDashboardIssues` | **`gitlab.production`** — GraphQL handler action |
+| `create` | administration | high | Production fixture: `RegistrationsController#create`; application message `User "test23" … was created` | **`gitlab.production`** mapped; **`gitlab.application`** vendor message only |
+| `new` | authentication | high | Production fixtures: `SessionsController#new`, `RegistrationsController#new` | **`gitlab.production`** — sign-in/sign-up form renders |
+| `manifest` | api_call | medium | Production fixture: `PwaController#manifest` | **`gitlab.production`** |
+| `opensearch` | api_call | medium | Production fixture: `SearchController#opensearch` | **`gitlab.production`** |
+| `issues` / `users` | data_access | medium | Production fixtures: `DashboardController#issues`, `UsersController#users` | **`gitlab.production`** |
+| `SessionsController#create` | authentication | high | Audit login fixture: `gitlab.audit.meta.caller_id`; application login message `Successful Login: username=root` | **`gitlab.audit`**, **`gitlab.application`** — not mapped to `event.action` |
+| `visibility` (attribute change) | configuration_change | high | Audit fixture: `change=visibility`, `from=Private`, `to=Public` on Project | **`gitlab.audit`** — `gitlab.audit.change` vendor-only |
+| `Successful Login` / `Failed Login` | authentication | high | Application fixtures: grok on `gitlab.application.message`; sets `event.outcome` success/failure | **`gitlab.application`** — message text, not `event.action` |
+| `User/Group/Project … was created/removed` | administration | high | Application fixtures: grok sets `event.type: creation/deletion` | **`gitlab.application`** — lifecycle verbs in message |
+| `GET /api/:version/geo/proxy` | api_call | high | API fixture: `event.provider` ← `meta.caller_id`; `route=/api/:version/geo/proxy` | **`gitlab.api`** — HTTP route template as provider, not `event.action` |
+| `blocklist` / `throttle` | detection | high | Auth fixtures: `gitlab.auth.env`; `matched=throttle_unauthenticated_api`, `throttle_authenticated_api` | **`gitlab.auth`** — Rack Attack gate |
+| `Rack_Attack` | detection | high | Auth fixtures: `gitlab.auth.message` on all blocklist/throttle events | **`gitlab.auth`** — generic event label |
+| `access` | api_call | high | Pages HTTP fixtures: `gitlab.pages.msg=access`, `method=GET`, `uri=/` | **`gitlab.pages`** — static site HTTP access |
+| `done` / `start` | api_call | high | Sidekiq fixtures: `job_status=done/start`; `class=UpdateAllMirrorsWorker`, `MergeRequestCleanupRefsWorker` | **`gitlab.sidekiq`** — job lifecycle phase |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `gitlab.production.action` → `event.action` | yes | yes | `index`, `activity`, `execute`, `create`, `new`, `manifest`, `opensearch`, `issues`, `users` | no | `production/default.yml` L77–80; all production pipeline fixtures |
+| `event.provider` ← `meta.caller_id` | n/a (provider, not action) | yes | `GraphqlController#execute`, `RootController#index`, `GET /api/:version/projects` | partial | Production + API pipelines; complements but does not replace `event.action` |
+| `gitlab.audit.meta.caller_id` | no | n/a | `SessionsController#create` | yes | Login audit fixture; Rails handler names the operation |
+| `gitlab.audit.change` | no | n/a | `visibility` | yes | Visibility-change audit fixture; attribute-level action |
+| `gitlab.audit.change` + `target_type` (composite) | no | n/a | `visibility-change-on-Project` | yes | Combines verb + entity type when `change` alone is ambiguous |
+| `gitlab.application.message` (grok) | no | partial | `Successful Login`, `Failed Login`, `User "test23" … was created`, `Group "elastic_group" was removed` | yes | Grok extracts identity + sets `event.outcome`/`event.type`; message prefix is natural action label |
+| `gitlab.application.meta.caller_id` / `meta.root_caller_id` | no | n/a | `ProjectCacheWorker`, `ProjectsController#create`, `Admin::GroupsController#destroy` | yes | Worker/controller chain; alternate to message text |
+| `gitlab.api.meta.caller_id` / `route` | no | partial | `GET /api/:version/geo/proxy`, `/api/:version/projects` | yes | `meta.caller_id` → `event.provider`; `route` is route template |
+| `http.request.method` + `url.path` | partial (ECS, not action) | partial | `GET /api/v4/projects` | partial | Mapped on api/auth/pages/production; HTTP surface when no vendor action field |
+| `gitlab.auth.env` | no | n/a | `blocklist`, `throttle` | yes | Primary Rack Attack gate discriminator |
+| `gitlab.auth.matched` | no | n/a | `throttle_unauthenticated_api`, `throttle_authenticated_api` | yes | Finer-grained rate-limit rule name |
+| `gitlab.auth.message` | no | n/a | `Rack_Attack` | partial | Generic; prefer `env` or `matched` |
+| `gitlab.pages.msg` | no | n/a | `access` | yes | HTTP access events; daemon startup uses free-text `msg` |
+| `gitlab.sidekiq.job_status` + `class` | no | n/a | `UpdateAllMirrorsWorker:done`, `MergeRequestCleanupRefsWorker:start` | yes | Job class + lifecycle phase |
+| `event.type` / `event.outcome` (application) | n/a (downstream) | partial | `creation`, `deletion`; `success`/`failure` on login | partial | Derived from message grok — do not substitute for `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `gitlab.audit` | no | no | `gitlab.audit.meta.caller_id` (login); `gitlab.audit.change` (setting edits) | high | `test-audit.log-expected.json`; no `event.action` in pipeline |
+| `gitlab.application` | no | no | `gitlab.application.message` (grok prefix); alternate `meta.root_caller_id` | high | `test-application.log-expected.json`; grok + `event.outcome`/`event.type` only |
+| `gitlab.api` | no | no | `gitlab.api.meta.caller_id` or `route` | high | `test-gitlab-api.log-expected.json`; `event.provider` only |
+| `gitlab.auth` | no | no | `gitlab.auth.env` + `gitlab.auth.matched` | high | `test-auth.log-expected.json`: `blocklist`, `throttle_*` |
+| `gitlab.pages` | no | no | `gitlab.pages.msg` (`access`); `http.request.method` + `gitlab.pages.uri` | high | `test-pages.log-expected.json` |
+| `gitlab.production` | yes (all fixtures) | yes | `gitlab.production.action` | high | `production/default.yml` L77–80; `test-gitlab-production.log-expected.json` |
+| `gitlab.sidekiq` | no | no | `gitlab.sidekiq.class` + `gitlab.sidekiq.job_status` | high | `test-gitlab-sidekiq.log-expected.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Audit author (administrator) | user | — | high | `author_id` → `user.id`, `author_name` → `user.name` (`audit/default.yml`); login fixture: `author_name=Administrator`, visibility fixture: `John Doe4` | **`gitlab.audit`** — canonical audit actor |
+| Audit session user (request meta) | user | — | high | `gitlab.audit.meta.user` / `meta.user_id` / `meta.client_id` (`user/1`); login fixture: session `root` vs author `Administrator`; **not** copied to ECS `user.*` | **`gitlab.audit`** — request-context principal; may differ from author |
+| Application / worker acting user | user | — | high | `meta.user_id` → `user.id`, `meta.user` → `user.name`; `related.user` also gets `meta.gl_user_id`, `user_id` | **`gitlab.application`** — actor when meta present; grok can overwrite `user.*` on lifecycle messages (see Gaps) |
+| REST API authenticated caller | user | — | medium | `user_id` → `user.id`, `username` → `user.name`; `related.user` from `user_id`/`username`/`meta.gl_user_id` | **`gitlab.api`** — only when `user_id` present; anonymous geo proxy calls have `meta.client_id=ip/…` only |
+| Rails web authenticated caller | user | — | medium | `user_id` → `user.id`, `username` → `user.name` | **`gitlab.production`** — authenticated dashboard/API/GraphQL; anonymous PWA/sign-in pages omit `user.*` |
+| Auth rate-limit subject | user | — | low | `user_id` → `user.id`; `meta.user` expanded but not renamed to ECS | **`gitlab.auth`** — one throttled fixture (`user_id=2`, `meta.user=test`); most Rack Attack events are IP-only |
+| Client source IP | host | — | high | `meta.remote_ip` / `remote_ip` → `client.ip` + `source` copy (audit, application, auth); `remote_ip` → `source.ip` (api, production, pages) | All streams except **`gitlab.sidekiq`** (no IP in fixtures) — network origin, not GitLab identity |
+| Sidekiq worker / cron initiator | service | Sidekiq worker | medium | `gitlab.sidekiq.class`, `meta.caller_id`, `meta.root_caller_id=Cronjob`, `meta.client_id=ip/` | **`gitlab.sidekiq`**, **`gitlab.application`** (worker messages) — no ECS `user.*`; system-initiated |
+| Pages daemon OS user | user | — | low | `uid` → `user.id` on daemon startup | **`gitlab.pages`** — OS unprivileged user (`998`), not a GitLab account |
+
+**No actor identity:** **`gitlab.sidekiq`** fixtures (cron `UpdateAllMirrorsWorker`, `MergeRequestCleanupRefsWorker`) carry worker class and correlation ID only. **`gitlab.auth`** blocklist/throttle events are predominantly IP + `url.path` with no user.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Audit author; API/production caller; application meta actor | yes (stream-dependent) | yes (audit, api, production); partial (application) | high | Audit: `author_id` rename; API: `user_id` rename; production: `user_id` rename; application: `meta.user_id` rename — grok overwrites on User create/remove messages |
+| `user.name` | Audit author; API/production username; application meta actor | yes (stream-dependent) | yes (audit, api, production); partial (application) | high | Same pipeline sources; application grok sets target username on `User "…" was created/removed` |
+| `user.email` | Login/lifecycle subject | partial | partial | medium | Application grok only (`User "…" (email) was created/removed`); encodes **target** user on admin create, not actor |
+| `client.ip` / `source.ip` | Client network origin | yes | yes | high | Audit/application/auth: `meta.remote_ip` → `client.ip` + `source` copy; api/production/pages: `remote_ip` → `source.ip` |
+| `related.user` | Actor + target enrichment bag | yes | partial | high | Audit appends author + User-type `target_id`/`target_details`/`entity_id`; application/api append meta ids; conflates actor and target |
+| `gitlab.audit.meta.user` / `meta.user_id` | Session user (distinct from author) | no (vendor-only) | n/a | high | Login audit fixture: `meta.user=root` while `user.name=Administrator` |
+| `gitlab.audit.meta.client_id` | Auth mode (`user/{id}` vs `ip/…`) | no | n/a | high | `user/1` on authenticated audit login |
+| `gitlab.application.meta.user` / `meta.user_id` | Acting user for workers/controllers | partial | yes when grok does not run | high | Mapped to `user.*`; survives in `related.user` when grok overwrites |
+| `gitlab.application.meta.caller_id` / `meta.root_caller_id` | Controller/worker class chain | no | n/a | medium | e.g. `ProjectsController#create` → `ProjectCacheWorker`; `Cronjob` root on batch workers |
+| `gitlab.api.meta.user` / `meta.user_id` | Request-context user (duplicate of top-level on authed calls) | no | n/a | medium | Stays vendor-only; ECS uses top-level `user_id`/`username` |
+| `gitlab.auth.meta.user` | Throttled API username | no | n/a | low | Dot-expanded only; `user.id` comes from top-level `user_id` |
+| `gitlab.production.meta.user` / `meta.user_id` | Request-context user | no | n/a | medium | Vendor-only; ECS uses top-level `user_id`/`username` |
+| `organization.id` | GitLab organization scope | partial | yes (scope) | low | `meta.organization_id` → `organization.id` on api, application, production when present |
+| `event.provider` | Controller/route handler | yes | yes (context) | medium | API: `meta.caller_id`; production: `meta.caller_id` → `event.provider` |
+| `process.pid` / `process.name` | Rails/Puma/Sidekiq process | yes | yes (context) | medium | api/production/auth/sidekiq pipelines |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform service | GitLab Rails/API/Pages instance handling the request | Self-hosted GitLab | service | — | medium | `host.name` ← `url.domain` (api) or Pages bind; `event.provider` ← controller/route; no `cloud.service.name` | **`gitlab.api`**, **`gitlab.production`**, **`gitlab.pages`** — invoked application tier |
+| 2 — Resource / object | GitLab domain entity acted upon | User, Project, Group, etc. | general | User, Project, Group, MergeRequest, … | high (audit); medium (application); low (HTTP) | Audit: `target_type`/`target_id`/`target_details`, `entity_type`/`entity_id`; application: grok `group.name`, `project_name`, `model`/`model_id`; production: `params.new_user.*`, `assignee_username` | **`gitlab.audit`** canonical; other streams infer from path/params/message |
+| 3 — Content / artifact | Attribute change, HTTP resource, or job instance | visibility change; URL path; Sidekiq JID | general | setting_change, url_endpoint, background_job | high (audit change); medium (HTTP); low (sidekiq) | Audit: `change`/`from`/`to` (e.g. visibility Private→Public); HTTP: `url.path`, `gitlab.pages.uri`; sidekiq: `jid`, `class` | Layer 3 complements Layer 2 on audit setting edits |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `gitlab.audit.target_type` | 2 | general | no | n/a | `entity.target.*` (type discriminator) | yes | `User`, `Project` in fixtures; production also emits Group, DeployKey, etc. |
+| `gitlab.audit.target_id` | 2 | general | no | n/a | `entity.target.id` | yes | `target_id=1` (User login), `2` (Project visibility) |
+| `gitlab.audit.target_details` | 2 | general | no | n/a | `entity.target.name` | yes | `Administrator`, `namespace2/project2` |
+| `gitlab.audit.entity_type` / `entity_id` | 2 | general | no | n/a | `entity.target.*` | yes | Changed entity; often equals target on same-object edits |
+| `gitlab.audit.change` / `from` / `to` | 3 | general | no | n/a | context-only | no | Attribute delta (e.g. `change=visibility`) |
+| `related.user` (User-type audit targets) | 2 | user | partial | partial | `user.target.*` | yes | Pipeline appends `target_id`/`target_details`/`entity_id` when type=User — de-facto target bag, not `user.target.*` |
+| `group.name` (application grok) | 2 | general | yes | yes | `entity.target.name` (Group) | yes | `Group "elastic_group" was created/removed` fixtures |
+| `gitlab.application.project_name` (grok) | 2 | general | yes | yes | `entity.target.name` (Project) | yes | Project create/delete messages |
+| `gitlab.application.meta.project` / `project_id` | 2 | general | no | n/a | `entity.target.name` / `.id` | yes | Worker context, e.g. `root/test_1` |
+| `gitlab.application.model` / `model_id` | 2 | general | no | n/a | `entity.target.*` | yes | e.g. `ProjectStatistics` / `1` |
+| `gitlab.application.mergeability.merge_request_id` | 2 | general | no | n/a | `entity.target.id` | yes | MR mergeability worker events |
+| `url.path` / `gitlab.pages.uri` | 3 | general | yes | yes (HTTP resource) | context-only | no | API route, Git upload-pack path, Pages URI — endpoint, not typed GitLab entity |
+| `gitlab.production.params.new_user.*` | 2 | user | no | n/a | `user.target.*` | yes | Registration create: username/email in params map |
+| `host.name` (api/pages) | 1 | service | yes | yes (server endpoint) | context-only | no | `localhost`, `127.0.0.1:8090` — serving host, not acted-upon resource |
+| `gitlab.api.target_duration_s` / `gitlab.production.target_duration_s` / `gitlab.sidekiq.target_duration_s` | — | — | yes | no (misnamed) | n/a | no | Rails performance SLA seconds — **not** entity targets |
+| `gitlab.sidekiq.target_scheduling_latency_s` | — | — | yes | no (misnamed) | n/a | no | Sidekiq scheduling metric, not entity target |
+| `gitlab.sidekiq.class` / `jid` | 3 | service | no | n/a | context-only | no | Background job identity; worker is actor, job is artifact |
+
+### Gaps and mapping notes
+
+- **`event.action` populated on production only** — six of seven streams leave vendor operation names unmapped. Primary enhancement candidates: audit `meta.caller_id` / `change`; application message grok prefix; API `meta.caller_id` or `route`; auth `env` + `matched`; pages `msg`; sidekiq `class` + `job_status`.
+- **Application uses `event.type`/`event.outcome` without `event.action`** — login grok sets `event.outcome: success/failure` and lifecycle messages set `event.type: creation/deletion`, but no normalized action string (e.g. `user-created`, `login-failed`).
+- **API duplicates action semantics in `event.provider`** — `meta.caller_id` (e.g. `GET /api/:version/projects`) names the operation but is classified as provider, not action.
+- **No ECS `*.target.*` today** — audit `target_*` / `entity_*` remain vendor-only except User IDs/names appended to `related.user`. Enhancement: map typed targets to `entity.target.*` or `user.target.*` / `service.target.*` by `target_type`.
+- **`user.*` actor/target conflation on application lifecycle grok** — grok runs after `meta.user_id` → `user.id` rename; on `User "test23" … was created`, `user.name`/`user.email` hold the **created user** (target) while `related.user` retains actor `root`/`1`. On cron `User "test11" … was removed` with no meta, `user.*` is target-only with no actor ECS field.
+- **Audit login: author vs session user** — `user.*` = author (`Administrator`); session user `root` stays in `gitlab.audit.meta.user` only. User-type target also lands in `related.user`, mixing actor and target in one array.
+- **`meta.user` not promoted on api/production/auth/audit** — duplicate identity stays vendor-only even when top-level `user_id`/`username` absent; auth throttling exposes `meta.user=test` without ECS `user.name`.
+- **No `destination.user.*` / `destination.host.*`** — production pipeline geo-enriches `destination.ip` if present in raw JSON, but fixtures do not populate it; not used as de-facto audit target.
+- **Performance homonyms** — `target_duration_s` / `target_scheduling_latency_s` flagged in `vendor_target_special_cases.csv` as false-positive `*target*` paths.
+- **Target-fields audit alignment** — `moderate_candidate`: strong vendor audit targets and actor pipeline mappings, but no tier-A ECS target fields and no destination-identity pattern.
+
+### Per-stream notes
+
+#### `gitlab.audit`
+
+True audit stream. Actor: `author_*` → `user.*`. Target: `target_*` + `entity_*` + `change`/`from`/`to` vendor-only. **Action:** no `event.action`; login → `meta.caller_id=SessionsController#create`; visibility change → `change=visibility`. Login event: target User equals session subject; visibility event: target Project with attribute change. `meta.feature_category=system_access`.
+
+#### `gitlab.application`
+
+Audit-adjacent lifecycle and worker logs. Actor from `meta.user_*` when present; login/logout grok extracts username + `source.ip`. **Action:** message grok drives `event.outcome`/`event.type` but not `event.action`; candidates are message prefix (`Successful Login`, `was created`) or `meta.root_caller_id`. Group/project/user CRUD via message grok → `group.name`, `project_name`, or target `user.name`/`user.email`. Workers chain `meta.caller_id` → `meta.root_caller_id` (e.g. `GroupDestroyWorker` ← `Admin::GroupsController#destroy`).
+
+#### `gitlab.api`
+
+REST request telemetry. Authenticated calls: `user_id`/`username` → `user.*`, token metadata vendor-only (`token_type`, `token_id`). Anonymous calls: `source.ip` only. **Action:** no `event.action`; `meta.caller_id` → `event.provider` (e.g. `GET /api/:version/projects`); `route` holds path template. `url.path` + `route` identify API surface; `meta.project` when scoped.
+
+#### `gitlab.production`
+
+Rails controller/GraphQL access. **`event.action`** ← `gitlab.production.action` (`index`, `execute`, `create`, …); **`event.provider`** ← `meta.caller_id`. `params` map holds form targets (registration, assignee filters). GraphQL `operation_name` and variables in vendor fields. Mix of authenticated (`root`) and anonymous requests.
+
+#### `gitlab.auth`
+
+Rack Attack blocklist/throttle/protected-path abuse. Mostly IP + HTTP method/path (`/group/project.git/info/refs`, `/api/v4/users?…`). **Action:** `env` (`blocklist`, `throttle`) + `matched` rate-limit rule; generic `message=Rack_Attack`. Rate-limited authenticated API is the only user-identified fixture.
+
+#### `gitlab.pages`
+
+GitLab Pages daemon and HTTP access logs. Access events: `source.ip`, `host.name`, `gitlab.pages.uri`, status/duration; **`msg=access`**. Daemon startup maps OS `uid` → `user.id` (low-confidence GitLab actor). No GitLab user accounts on access fixtures.
+
+#### `gitlab.sidekiq`
+
+Background job start/done/retry. Actor is the worker (`class`, `meta.caller_id`); optional `meta.root_caller_id=Cronjob`. **Action:** `job_status` (`start`, `done`) + worker `class`; no `event.action`. No user identity in fixtures. `target_duration_s` is a Sidekiq/Rails SLA metric, not an entity.
+
+## Example Event Graph
+
+Examples below come from **`gitlab.audit`** (native audit trail), **`gitlab.production`** (Rails web access with ECS `event.action`), and **`gitlab.auth`** (Rack Attack rate-limit/blocklist telemetry). Audit events are true audit logs; production and auth streams are audit-adjacent HTTP/access telemetry.
+
+### Example 1: Project visibility change
+
+**Stream:** `gitlab.audit` · **Fixture:** `packages/gitlab/data_stream/audit/sample_event.json`
+
+```
+John Doe4 → visibility → namespace2/project2 (Project)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 3 |
+| name | John Doe4 |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id` (renamed from `author_id`)
+- `name` ← `user.name` (renamed from `author_name`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | visibility |
+| source_field | `gitlab.audit.change` |
+| source_value | visibility |
+
+Not mapped to ECS `event.action` today.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 2 |
+| name | namespace2/project2 |
+| type | general |
+| sub_type | Project |
+
+**Field sources:**
+- `id` ← `gitlab.audit.target_id`
+- `name` ← `gitlab.audit.target_details`
+- `sub_type` ← `gitlab.audit.target_type`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: John Doe4"] --> E["visibility"]
+  E --> T["Target: namespace2/project2"]
+```
+
+### Example 2: GraphQL dashboard query
+
+**Stream:** `gitlab.production` · **Fixture:** `packages/gitlab/data_stream/production/_dev/test/pipeline/test-gitlab-production.log-expected.json`
+
+```
+root → execute → iam/test (Project)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 1 |
+| name | root |
+| type | user |
+| ip | 192.168.65.1 |
+
+**Field sources:**
+- `id` ← `user.id` (renamed from `user_id`)
+- `name` ← `user.name` (renamed from `username`)
+- `ip` ← `source.ip` (renamed from `remote_ip`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | execute |
+| source_field | `event.action` |
+| source_value | execute |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | iam/test |
+| type | general |
+| sub_type | Project |
+
+**Field sources:**
+- `name` ← `gitlab.production.graphql[].variables` (`projectPath` in `getDashboardIssues` operation)
+- `sub_type` inferred from GraphQL `operation_name: getDashboardIssues` scoped to a project path
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: root"] --> E["execute"]
+  E --> T["Target: iam/test"]
+```
+
+### Example 3: Git protocol blocklist
+
+**Stream:** `gitlab.auth` · **Fixture:** `packages/gitlab/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json`
+
+```
+67.43.156.18 → blocklist → /group/project.git/info/refs
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | host |
+| geo | Bhutan |
+| ip | 67.43.156.18 |
+
+**Field sources:**
+- `ip` ← `source.ip` / `client.ip` (renamed from `remote_ip`)
+- `geo` ← `source.geo.country_name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | blocklist |
+| source_field | `gitlab.auth.env` |
+| source_value | blocklist |
+
+Not mapped to ECS `event.action` today.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | /group/project.git/info/refs |
+| type | general |
+| sub_type | git_endpoint |
+
+**Field sources:**
+- `name` ← `url.path`
+- `sub_type` inferred from Git smart-HTTP path (`service=git-upload-pack` in `url.query`)
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 67.43.156.18"] --> E["blocklist"]
+  E --> T["Target: /group/project.git/info/refs"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, seven filestream data streams with Tier A fixtures per `packages/gitlab/data_stream/*/sample_event.json` and `*-expected.json`). Router: **`data_stream.dataset`** (`gitlab.api`, `gitlab.application`, `gitlab.audit`, `gitlab.auth`, `gitlab.pages`, `gitlab.production`, `gitlab.sidekiq`). Secondary discriminators: **`gitlab.audit.meta.caller_id`**, **`gitlab.audit.target_type`**, **`gitlab.audit.change`**, **`event.action`** (production only at ingest). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` — valid **5-arg**, **7-arg**, or **9-arg** paired branches with a trailing `null` default — not `CASE(actor_exists|target_exists|action_exists, <col>, …)` (a populated sibling actor/target/action field must not block fallbacks on an empty column; Pass 4 §10). Ingest does not populate ECS `*.target.*` today — fallbacks promote vendor audit fields and grok lifecycle targets. **`gitlab.audit` login** (`SessionsController#create`) → **`service.target.name`** `"GitLab"` (Pass 3 platform target), not self-referential `user.target.*` from `target_details`. **`gitlab.sidekiq`** excluded.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `gitlab.audit` | audit | user, host | user, service, general (Project/Group) | full |
+| `gitlab.application` | audit-adjacent lifecycle | user, host | user, general (Group/Project) | partial |
+| `gitlab.api` | REST telemetry | user, host | general (route/API surface) | partial |
+| `gitlab.auth` | Rack Attack | host | general (git endpoint) | partial |
+| `gitlab.pages` | static site access | host | general (URI) | partial |
+| `gitlab.production` | Rails web access | user, host | — | partial (actor/action only) |
+| `gitlab.sidekiq` | background jobs | service | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` | `data_stream.dataset IN ("gitlab.audit", "gitlab.application", "gitlab.api", "gitlab.production")` | high | **ingest-only — no ES|QL** — audit `author_id`, api/production `user_id`, application `meta.user_id`; no query-time vendor path when empty |
+| `user.name` | `user.name` | `data_stream.dataset IN ("gitlab.audit", "gitlab.application", "gitlab.api", "gitlab.production")` | high | **ingest-only — no ES|QL** — application grok may hold **target** user on `User "…" was created` (see Gaps) |
+| `host.ip` | `host.ip` | `data_stream.dataset IN ("gitlab.api", "gitlab.auth", "gitlab.pages", "gitlab.production")` | high | **preserve existing** |
+| `host.ip` | `source.ip` | `data_stream.dataset IN ("gitlab.api", "gitlab.auth", "gitlab.pages", "gitlab.production") AND source.ip IS NOT NULL` | high | **vendor fallback** — `remote_ip` rename |
+| `host.ip` | `client.ip` | `data_stream.dataset IN ("gitlab.audit", "gitlab.application", "gitlab.auth") AND client.ip IS NOT NULL` | high | **vendor fallback** — `meta.remote_ip` rename |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `service.target.name` | `data_stream.dataset == "gitlab.audit"` | high | **preserve existing** |
+| `service.target.name` | `"GitLab"` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.meta.caller_id == "SessionsController#create"` | medium | **semantic literal** — login platform target (Pass 3); not `target_details` User |
+| `user.target.id` | `user.target.id` | `data_stream.dataset == "gitlab.audit"` | high | **preserve existing** |
+| `user.target.id` | `TO_STRING(gitlab.audit.target_id)` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create"` | high | **vendor fallback** |
+| `user.target.name` | `user.target.name` | `data_stream.dataset == "gitlab.audit"` | high | **preserve existing** |
+| `user.target.name` | `gitlab.audit.target_details` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create"` | high | **vendor fallback** |
+| `entity.target.id` | `entity.target.id` | `data_stream.dataset == "gitlab.audit"` | high | **preserve existing** |
+| `entity.target.id` | `TO_STRING(gitlab.audit.target_id)` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project"` | high | **vendor fallback** — visibility fixture `target_id=2` |
+| `entity.target.name` | `entity.target.name` | `data_stream.dataset IN ("gitlab.audit", "gitlab.application", "gitlab.api", "gitlab.auth", "gitlab.pages")` | high | **preserve existing** |
+| `entity.target.name` | `gitlab.audit.target_details` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project"` | high | **vendor fallback** |
+| `entity.target.name` | `group.name` | `data_stream.dataset == "gitlab.application" AND group.name IS NOT NULL` | high | **vendor fallback** — grok Group create/remove (`test-application.log-expected.json`) |
+| `entity.target.name` | `gitlab.application.project_name` | `data_stream.dataset == "gitlab.application" AND gitlab.application.project_name IS NOT NULL` | high | **vendor fallback** — grok project CRUD |
+| `entity.target.name` | `gitlab.application.meta.project` | `data_stream.dataset == "gitlab.application" AND gitlab.application.project_name IS NULL AND gitlab.application.meta.project IS NOT NULL` | medium | **vendor fallback** — worker context (e.g. `elastic_group/rag_ai`) |
+| `entity.target.name` | `gitlab.api.route` | `data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL` | medium | **vendor fallback** — REST route template as API surface |
+| `entity.target.name` | `url.path` | `data_stream.dataset == "gitlab.auth"` | high | **vendor fallback** — Git smart-HTTP endpoint (Pass 3 blocklist example) |
+| `entity.target.name` | `gitlab.pages.uri` | `data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg == "access"` | high | **vendor fallback** — Pages HTTP resource |
+| `entity.target.sub_type` | `entity.target.sub_type` | `data_stream.dataset == "gitlab.audit"` | high | **preserve existing** |
+| `entity.target.sub_type` | `gitlab.audit.target_type` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type IS NOT NULL AND gitlab.audit.meta.caller_id != "SessionsController#create"` | high | **vendor fallback** — `User`, `Project`, … |
+| `entity.target.sub_type` | `"git_endpoint"` | `data_stream.dataset == "gitlab.auth"` | medium | **semantic literal** — Pass 3 git protocol path target |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "gitlab.production"` | high | **preserve existing** — ingest `gitlab.production.action` rename |
+| `event.action` | `gitlab.audit.change` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.change IS NOT NULL` | high | **vendor fallback** — e.g. `visibility` |
+| `event.action` | `gitlab.audit.meta.caller_id` | `data_stream.dataset == "gitlab.audit" AND gitlab.audit.change IS NULL` | high | **vendor fallback** — e.g. `SessionsController#create` login |
+| `event.action` | `gitlab.application.meta.root_caller_id` | `data_stream.dataset == "gitlab.application" AND gitlab.application.meta.root_caller_id IS NOT NULL` | medium | **vendor fallback** — worker chain root |
+| `event.action` | `gitlab.application.meta.caller_id` | `data_stream.dataset == "gitlab.application" AND gitlab.application.meta.root_caller_id IS NULL AND gitlab.application.meta.caller_id IS NOT NULL` | medium | **vendor fallback** |
+| `event.action` | `gitlab.auth.env` | `data_stream.dataset == "gitlab.auth"` | high | **vendor fallback** — `blocklist`, `throttle` |
+| `event.action` | `gitlab.api.route` | `data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL` | medium | **vendor fallback** — route template when no ingest action |
+| `event.action` | `gitlab.pages.msg` | `data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg IS NOT NULL` | high | **vendor fallback** — e.g. `access` |
+
+### Detection flags (mandatory — run first)
+
+Standard predicate covers user/host/service/entity actor columns populated at ingest on audit, api, application, and production streams. **`host.ip` is included** in `actor_exists` (client/source network origin on HTTP streams). No ECS `*.target.*` at ingest — `target_exists` is false until Pass 4 fallbacks run on the same query. **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, host.ip, …)` / `CASE(target_exists, entity.target.name, …)` / `CASE(action_exists, event.action, …)` — so e.g. `user.id` on audit does not block `host.ip` ← `source.ip` when `host.ip` is empty (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Never **4-arg** `CASE(host.ip IS NOT NULL, host.ip, source.ip, null)` — the 3rd arg `source.ip` is a **condition**, not a value. Use **5-arg** `CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset IN (…), source.ip, null)` or **7-arg** multi-fallback chains. Never **4-arg** `CASE(actor_exists, host.ip, source.ip, null)` (`source.ip` parses as a condition).
+
+### Combined ES|QL — actor fields
+
+`user.id` and `user.name` omitted — ingest populates them on audit/api/application/production streams; no alternate indexed source for Pass 4 fallback (avoids `CASE(user.id IS NOT NULL, user.id, …, user.id, null)` tautology).
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("gitlab.api", "gitlab.auth", "gitlab.pages", "gitlab.production") AND source.ip IS NOT NULL, source.ip,
+    data_stream.dataset IN ("gitlab.audit", "gitlab.application", "gitlab.auth") AND client.ip IS NOT NULL, client.ip,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.change IS NOT NULL, gitlab.audit.change,
+    data_stream.dataset == "gitlab.audit", gitlab.audit.meta.caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.root_caller_id IS NOT NULL, gitlab.application.meta.root_caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.caller_id IS NOT NULL, gitlab.application.meta.caller_id,
+    data_stream.dataset == "gitlab.auth", gitlab.auth.env,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL, gitlab.api.route,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg IS NOT NULL, gitlab.pages.msg,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.meta.caller_id == "SessionsController#create", "GitLab",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create", TO_STRING(gitlab.audit.target_id),
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create", gitlab.audit.target_details,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project", TO_STRING(gitlab.audit.target_id),
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project", gitlab.audit.target_details,
+    data_stream.dataset == "gitlab.application" AND group.name IS NOT NULL, group.name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.project_name IS NOT NULL, gitlab.application.project_name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.project IS NOT NULL, gitlab.application.meta.project,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL, gitlab.api.route,
+    data_stream.dataset == "gitlab.auth", url.path,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg == "access", gitlab.pages.uri,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type IS NOT NULL AND gitlab.audit.meta.caller_id != "SessionsController#create", gitlab.audit.target_type,
+    data_stream.dataset == "gitlab.auth", "git_endpoint",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("gitlab.api", "gitlab.auth", "gitlab.pages", "gitlab.production") AND source.ip IS NOT NULL, source.ip,
+    data_stream.dataset IN ("gitlab.audit", "gitlab.application", "gitlab.auth") AND client.ip IS NOT NULL, client.ip,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.change IS NOT NULL, gitlab.audit.change,
+    data_stream.dataset == "gitlab.audit", gitlab.audit.meta.caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.root_caller_id IS NOT NULL, gitlab.application.meta.root_caller_id,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.caller_id IS NOT NULL, gitlab.application.meta.caller_id,
+    data_stream.dataset == "gitlab.auth", gitlab.auth.env,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL, gitlab.api.route,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg IS NOT NULL, gitlab.pages.msg,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.meta.caller_id == "SessionsController#create", "GitLab",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create", TO_STRING(gitlab.audit.target_id),
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "User" AND gitlab.audit.meta.caller_id != "SessionsController#create", gitlab.audit.target_details,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project", TO_STRING(gitlab.audit.target_id),
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type == "Project", gitlab.audit.target_details,
+    data_stream.dataset == "gitlab.application" AND group.name IS NOT NULL, group.name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.project_name IS NOT NULL, gitlab.application.project_name,
+    data_stream.dataset == "gitlab.application" AND gitlab.application.meta.project IS NOT NULL, gitlab.application.meta.project,
+    data_stream.dataset == "gitlab.api" AND gitlab.api.route IS NOT NULL, gitlab.api.route,
+    data_stream.dataset == "gitlab.auth", url.path,
+    data_stream.dataset == "gitlab.pages" AND gitlab.pages.msg == "access", gitlab.pages.uri,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "gitlab.audit" AND gitlab.audit.target_type IS NOT NULL AND gitlab.audit.meta.caller_id != "SessionsController#create", gitlab.audit.target_type,
+    data_stream.dataset == "gitlab.auth", "git_endpoint",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, host.ip, service.target.name, entity.target.name, entity.target.sub_type
+```
+
+### Streams excluded
+
+- **`gitlab.sidekiq`** — background job execution metrics; `class`/`jid` describe workers and job artifacts, not human actor/target audit semantics (`test-gitlab-sidekiq.log-expected.json`).
+
+### Gaps and limitations
+
+- **`user.id` / `user.name` actor columns** — populated at ingest only; omitted from actor `EVAL` (no vendor fallback distinct from output column per Pass 4 tautology rule).
+- **`gitlab.application` grok conflation** — on `User "…" was created`, ingest `user.name`/`user.email` hold the **created user** (target) while actor may only appear in `related.user`; Pass 4 does not remap ingest `user.*` to `user.target.*` (would overwrite when `user.id` / `user.name` are already populated).
+- **Pass 4 CASE syntax (§10)** — actor/target/action `EVAL` uses column-level `CASE(<col> IS NOT NULL, <col>, …)`; detection flags remain query-time helpers only; full pipeline fragment aligned with combined blocks.
+- **Unscoped `FROM logs-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset IN (…)`), not a top-level `WHERE`.
+- **`gitlab.audit.meta.user`** — session user (`root`) distinct from author (`Administrator`); remains vendor-only — no `user.name` fallback from `gitlab.audit.meta.user`.
+- **`gitlab.production` GraphQL project targets** — `gitlab.production.graphql.variables` is a Ruby-hash string after ingest (`test-gitlab-production.log-expected.json`); omit `entity.target.*` — unstable for ES|QL parsing.
+- **`gitlab.auth.matched`** — finer throttle rule names not used as `event.action` (prefer `gitlab.auth.env`).
+- **`target_duration_s` / `target_scheduling_latency_s`** — Rails/Sidekiq performance metrics (`vendor_target_special_cases.csv`), not entity targets.
+- **Group / DeployKey / MergeRequest audit `target_type`** — extend `entity.target.*` `CASE` branches when Tier A fixtures confirm additional types.
+- **Pass 2 alignment** — ingest-time `user.target.*` / `entity.target.*` from audit `target_*` and `event.action` on non-production streams remain preferred; Pass 4 fills gaps without overwriting populated values.
diff --git a/dev/domain/p1/greenhouse.md b/dev/domain/p1/greenhouse.md
new file mode 100644
index 00000000000..20a94a58b3d
--- /dev/null
+++ b/dev/domain/p1/greenhouse.md
@@ -0,0 +1,451 @@
+# greenhouse
+
+## Product Domain (Greenhouse ATS/recruiting)
+
+Greenhouse is a cloud-based Applicant Tracking System (ATS) used by organizations to manage end-to-end recruiting and hiring workflows. Teams use it to post jobs, source and track candidates, run structured interview processes, coordinate offers, and report on hiring pipeline metrics. The platform is delivered as SaaS and is structured around organizations (tenants), users with role-based permissions, jobs and job posts, candidates and applications, interview plans, scorecards, and configurable hiring workflows.
+
+At its core, Greenhouse functions as a system of record for recruiting data—candidate profiles, application stages, interview feedback, offer details, and administrative configuration such as email templates, permissions, and integrations. Recruiters and hiring managers interact primarily through the Greenhouse Recruiting web UI, while developers and integrations access data through the Harvest API (including Harvest V3 with OAuth 2.0). The Audit Log add-on (available on Expert tier) records who accessed or changed information in Greenhouse Recruiting over a rolling 30-day window.
+
+From a security and compliance perspective, Greenhouse audit logs capture administrative actions, data lifecycle changes, and Harvest API access. Events identify the performer (user, API key, or internal system action), the request or action taken, the affected resource, and contextual metadata such as IP address and before/after values for data changes. Security teams monitor Greenhouse to detect unauthorized configuration changes, sensitive recruiting data access, API abuse, and privileged user activity.
+
+The Elastic Greenhouse integration ingests audit logs via Elastic Agent using a CEL input that polls the Greenhouse Audit Log API with Harvest V3 OAuth Client Credentials authentication. Collection is interval-based with optional filters for performer IDs and event types, rate-limit handling, and ECS normalization for SIEM correlation, identity monitoring, and audit trail analysis.
+
+## Data Collected (brief)
+
+- **Audit logs** (`greenhouse.audit`): Security and compliance events from the Greenhouse Audit Log API, retained by Greenhouse for up to 30 days.
+- **Event types**: `action` (general Recruiting actions), `data_change_create`, `data_change_update`, `data_change_destroy` (resource lifecycle changes with before/after metadata), and `harvest_access` (Harvest API data access).
+- **Performer details**: User ID, name, email, performer type (`user`, `api_key`, `greenhouse_internal`), source IP, and API key type when applicable.
+- **Request and target context**: Request ID and action type (Recruiting action name or Harvest API URL), target resource ID and type, organization ID, and event timestamp mapped to ECS fields (`user.*`, `organization.id`, `source.ip`, `event.*`).
+
+## Expected Audit Log Entities
+
+The Greenhouse integration exposes a single true audit stream — **`greenhouse.audit`** — polling the Greenhouse Audit Log API (Expert tier add-on). There are no metrics, inventory, or audit-adjacent detection streams. Events record a **performer** (Recruiting UI user, Harvest API key, or internal Greenhouse automation), an **event action** (Greenhouse event type and/or Recruiting action name / Harvest API path), and an **event target** (resource changed or accessed). **`event.action` is populated on all fixtures** — copied from `greenhouse.audit.event.type` (`action`, `data_change_create`, `data_change_update`, `data_change_destroy`, `harvest_access`); the more granular operation name remains vendor-only in `greenhouse.audit.request.type`. **No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated** (`dev/target-fields-audit/out/target_fields_audit.csv` — no rows for this package). **No `destination.user.*` or `destination.host.*` de-facto targets** (`destination_identity_hits.csv` — not listed). The target-fields audit classifies this package as **`moderate_candidate`** with **`fixture_strong=true`** and no pipeline destination-identity or official ECS target mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`). Vendor target identity remains under `greenhouse.audit.event.*`. Evidence: `packages/greenhouse/data_stream/audit/sample_event.json`, `data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json` (5 fixtures), `data_stream/audit/elasticsearch/ingest_pipeline/default.yml`, and `data_stream/audit/fields/fields.yml`.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `action` | administration | high | `sample_event.json`, expected fixture 0: `event.action: "action"`; `request.type: "email_settings#create_organization_email"` | **`greenhouse.audit`** — general Recruiting UI action; coarse event-type label |
+| `data_change_create` | configuration_change | high | Expected fixture 1: `event.action: "data_change_create"`; `request.type: "email_settings#create_organization_email"` | Resource creation with before/after in `event.meta` |
+| `data_change_update` | configuration_change | high | Expected fixture 2: `event.action: "data_change_update"`; `request.type: "users#update"` | Role change on target User `12345` |
+| `harvest_access` | data_access | high | Expected fixture 3: `event.action: "harvest_access"`; `request.type: "/v1/candidates/123456"` | Harvest API data read by API key performer |
+| `data_change_destroy` | configuration_change | high | Expected fixture 4: `event.action: "data_change_destroy"`; `request.type: "jobs#destroy"` | Job deletion |
+| `email_settings#create_organization_email` | configuration_change | high | `request.type` in fixtures 0–1 | Granular Recruiting action — vendor-only, not mapped to `event.action` |
+| `users#update` | administration | high | `request.type` in fixture 2 | Granular Recruiting action — vendor-only |
+| `jobs#destroy` | configuration_change | high | `request.type` in fixture 4 | Granular Recruiting action — vendor-only |
+| `/v1/candidates/123456` | api_call | high | `request.type` in fixture 3 | Harvest API endpoint path — vendor-only |
+
+Greenhouse uses a two-level action model: **`event.type`** (audit event class) maps to ECS **`event.action`**, while **`request.type`** (Recruiting controller action or Harvest URL) carries the specific operation but stays under `greenhouse.audit.request.type`. Pipeline also derives **`event.type`** (`creation`, `change`, `deletion`, `access`, `info`) and **`event.category`** (`configuration`, `iam`) from the same vendor event type — complementary to but distinct from `event.action`.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `greenhouse.audit.event.type` → `event.action` | yes | partial | `action`, `data_change_create`, `data_change_update`, `data_change_destroy`, `harvest_access` | no | Pipeline `default.yml` L62–65: `set` with `copy_from`; all 5 fixtures and `sample_event.json` |
+| `greenhouse.audit.request.type` | no | n/a | `email_settings#create_organization_email`, `users#update`, `jobs#destroy`, `/v1/candidates/123456` | **yes** | Retained vendor-only (`fields.yml` L15–18); granular Recruiting action or Harvest API path — stronger per-event verb than `event.type` |
+| `event.type` | no | n/a | `creation`, `change`, `deletion`, `access`, `info` | no | Derived from `event.type` vendor field (`default.yml` L68–96); ECS event taxonomy, not operation name |
+| `event.category` | no | n/a | `configuration`, `iam` | no | Appended from event type and performer type (`default.yml` L98–112); category, not action |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `greenhouse.audit` | yes | yes | `greenhouse.audit.event.type` → `event.action` (primary); alternate granular: `greenhouse.audit.request.type` | high | `default.yml` L62–65; `sample_event.json` L24; `test-audit-events.json-expected.json` (all 5 events) |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Recruiting UI user | user | — | high | `greenhouse.audit.performer.type: "user"` in 4 fixtures and `sample_event.json`. Pipeline maps `performer.id` → `user.id`, `performer.meta.username` → `user.email`, `performer.meta.name` → `user.full_name`; `event.category` includes `iam`. Examples: `12345` (Allison Jamie), `99999` (Admin User), `55555` (HR Manager). | **`greenhouse.audit`** — human performer for Recruiting actions and data changes |
+| Harvest API key | service | api_key | high | `performer.type: "api_key"` in 1 fixture (`harvest_access`). `performer.id` → `user.id` (`1001`); `performer.meta.api_key_type: "harvest"` retained vendor-side. No email or full name; `event.category` is `configuration` only. | Integration principal, not a human account — mapped to ECS `user.id` |
+| Greenhouse internal automation | service | internal_automation | low | Documented in `fields.yml` as `performer.type: "greenhouse_internal"`; not observed in fixtures or `sample_event.json`. | Expected for platform-initiated changes when present in production |
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Performer identifier (user or API key) | yes | partial | high | ← `greenhouse.audit.performer.id` convert (`default.yml:115–119`); fixtures for all performer types. **Partial** for `api_key` performers — ECS `user.id` holds API key ID, not a human user |
+| `user.email` | Performer email | yes | yes | high | ← `greenhouse.audit.performer.meta.username` (`default.yml:120–123`); populated for `user` performers only |
+| `user.full_name` | Performer display name | yes | yes | high | ← `greenhouse.audit.performer.meta.name` (`default.yml:124–127`); populated for `user` performers only |
+| `source.ip` | Performer network origin | yes | yes | high | ← `greenhouse.audit.performer.ip_address` convert + geo/ASN enrichment (`default.yml:129–165`); network context, not a separate actor entity |
+| `related.user` | Performer cross-reference | yes | partial | high | Appends `user.id` and `user.email` (`default.yml:191–200`); performer only — does not include target user on `users#update` |
+| `related.ip` | Performer IP cross-reference | yes | yes | high | ← `source.ip` append (`default.yml:201–205`) |
+| `greenhouse.audit.performer.type` | Performer class | yes (vendor) | n/a | high | Retained after pipeline removes duplicate performer id/meta; distinguishes `user`, `api_key`, `greenhouse_internal` |
+| `greenhouse.audit.performer.meta.api_key_type` | API key flavor | yes (vendor) | n/a | high | Retained for `api_key` performers (`harvest` in fixture); canonical integration identity detail |
+| `organization.id` | Tenant scope | yes | n/a | high | ← `greenhouse.audit.organization_id` convert (`default.yml:167–177`); organization boundary, not actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Greenhouse ATS SaaS platform | Greenhouse Recruiting / Harvest API | service | — | medium | Integration context (`event.module: greenhouse`, API host `auditlog.us.greenhouse.io` in manifest); no `cloud.service.name` or `cloud.provider` pipeline mapping. | Implicit Layer 1 — platform not explicitly ECS-mapped |
+| 2 — Resource / object | Organization email setting | OrganizationEmail | general | organization_email | high | `greenhouse.audit.event.target_type: "OrganizationEmail"`, `target_id: "1234"` on `data_change_create` (`email_settings#create_organization_email`). | `data_change_create` |
+| 2 — Resource / object | Recruiting user account | User | user | — | high | `target_type: "User"`, `target_id: "12345"` on `data_change_update` (`users#update`). Actor (`99999`, Admin User) differs from target user (`12345`). | Role change target — not promoted to ECS `user.target.*` |
+| 2 — Resource / object | Candidate record | Candidate | general | candidate | high | `target_type: "Candidate"`, `target_id: "123456"` on `harvest_access`; `request.type: "/v1/candidates/123456"`. | Harvest API data access |
+| 2 — Resource / object | Job posting | Job | general | job | high | `target_type: "Job"`, `target_id: "789"` on `data_change_destroy` (`jobs#destroy`). | Job deletion |
+| 2 — Resource / object | Action label (no resource ID) | Global Email Added | general | action_label | high | `target_type: "Global Email Added"` on `action` event with no `target_id`; `request.type: "email_settings#create_organization_email"`. Per `fields.yml`, non–data-change `target_type` may be a display label rather than a resource class. | `action` events may omit `target_id` |
+| 3 — Content / artifact | Before/after field values | Data change delta | general | field_delta | high | `greenhouse.audit.event.meta` flattened — e.g. `role: ["Basic", "Site Admin"]`, `value: ["johnny.c@omniva-corp.com"]`, `name: ["Software Engineer"]`. | `data_change_*` events only |
+| 3 — Content / artifact | Request / action identifier | Recruiting action or Harvest URL | general | api_request | high | `greenhouse.audit.request.type` — Recruiting action name (`users#update`, `jobs#destroy`, `email_settings#create_organization_email`) or Harvest API path (`/v1/candidates/123456`). `event.id` ← `request.id`. | Describes what was invoked or changed |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `greenhouse.audit.event.target_type` | 2 | varies | yes (vendor) | n/a | `entity.target.type` / type-specific `*.target.*` | **yes** | Canonical resource class or action label; `User`, `Candidate`, `Job`, `OrganizationEmail`, display labels on `action` events. `fields.yml:66–69` |
+| `greenhouse.audit.event.target_id` | 2 | varies | yes (vendor) | n/a | `entity.target.id` / `user.target.id` (when `target_type: User`) | **yes** | ← API integer converted to string (`default.yml:179–188`); absent on some `action` events |
+| `greenhouse.audit.event.meta` | 3 | general (field_delta) | yes (vendor) | n/a | context | no | Before/after values for `data_change_*`; recruiting field deltas |
+| `greenhouse.audit.request.type` | 3 | general (api_request) | yes (vendor) | n/a | context | **yes** (as `event.action`) | Recruiting action name or Harvest API path; granular operation verb — enhancement candidate for `event.action` |
+| `event.id` | 3 | general (request_id) | yes | yes | context | no | ← `greenhouse.audit.request.id` (`default.yml:58–61`); request correlation ID |
+| `organization.id` | — | general (organization) | yes | n/a | context-only | no | Tenant scope (`default.yml:167–177`); not the acted-upon resource |
+| `cloud.service.name` | 1 | service | no | n/a | `service.target.name` | **yes** | Greenhouse ATS platform not mapped; SaaS integration with no static `cloud.service.name` set in pipeline |
+
+### Gaps and mapping notes
+
+- **`event.action` is coarse, not granular:** Pipeline maps `greenhouse.audit.event.type` → `event.action` (`default.yml` L62–65) — correct for audit event class (`data_change_update`, `harvest_access`) but omits the specific Recruiting action or Harvest URL in `greenhouse.audit.request.type` (`users#update`, `/v1/candidates/123456`). Enhancement: copy or concatenate `request.type` into `event.action` (or a dedicated ECS field) for SIEM rule precision.
+- **No official ECS target fields:** Aligns with `target_enhancement_packages.csv` (`moderate_candidate`, all ECS target tiers false). Primary enhancement path: promote `greenhouse.audit.event.target_type` + `target_id` to `entity.target.*` and type-specific buckets (`user.target.id` when `target_type: User`, etc.).
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, this package does not use `destination.user.*` or `destination.host.*`; target identity is vendor-only under `greenhouse.audit.event.*`.
+- **Actor/target separation on user updates:** `users#update` fixture maps performer Admin User (`99999`) to ECS `user.*` while the affected User (`12345`) remains only in `greenhouse.audit.event.target_id` — correct performer mapping, but target user lacks ECS promotion.
+- **API key performers use actor field set:** `performer.type: api_key` maps to `user.id` without email/name (`default.yml:115–127`). Semantically a **service** actor stored in ECS `user.*` — **`Mapping correct? partial`**; consider `service.id` or dedicated vendor normalization.
+- **`related.user` includes performer only:** Target user IDs (e.g. `12345` on `users#update`) are not appended to `related.user` — limits cross-entity correlation without querying vendor fields.
+- **Performer fields removed post-mapping:** Pipeline removes `greenhouse.audit.performer.id`, `.ip_address`, and performer meta name/username after ECS copy (`default.yml:235–244`) unless `preserve_duplicate_custom_fields` tag is set — vendor actor detail partially stripped.
+- **`target_type` semantics vary by event type:** For `data_change_*` and `harvest_access`, `target_type` is a resource class name; for `action` events it may be a human-readable label (`Global Email Added`) with no `target_id` — affects how Layer 2 targets should map to ECS.
+- **Additional production resource types expected:** Applications, scorecards, interview plans, and other Greenhouse objects are documented in the Audit Log API but not represented in current fixtures.
+- **Alignment with target-fields audit:** `moderate_candidate` with `fixture_strong=true` matches evidence — clear vendor target fields (`greenhouse.audit.event.target_id`, `target_type`) in pipeline and fixtures, zero official `*.target.*` or `destination.*` identity mapping.
+
+### Per-stream notes
+
+- **`greenhouse.audit`:** Single audit stream covering `action`, `data_change_create`, `data_change_update`, `data_change_destroy`, and `harvest_access` event types. **`event.action`** populated from vendor `event.type`; granular operation in **`greenhouse.audit.request.type`**. Performer always maps to ECS `user.*` (human or API key); targets stay vendor-namespaced. `source.ip` with optional geo/ASN enrichment describes performer origin. No metrics or inventory streams — all events are audit trail records with `event.kind: event`.
+
+## Example Event Graph
+
+Examples below come from the single **`greenhouse.audit`** stream — true audit logs from the Greenhouse Audit Log API (Expert tier add-on), covering Recruiting UI actions, data lifecycle changes, and Harvest API access.
+
+### Example 1: Admin updates user role
+
+**Stream:** `greenhouse.audit` · **Fixture:** `packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json` (fixture 2)
+
+```
+Admin User (99999) → data_change_update → User (12345)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 99999 |
+| name | Admin User |
+| type | user |
+| ip | 10.0.0.50 |
+
+**Field sources:**
+
+- `id` ← `user.id`
+- `name` ← `user.full_name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | data_change_update |
+| source_field | `event.action` |
+| source_value | `data_change_update` |
+
+Granular Recruiting operation `users#update` is retained in `greenhouse.audit.request.type` but not mapped to `event.action`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 12345 |
+| type | user |
+
+**Field sources:**
+
+- `id` ← `greenhouse.audit.event.target_id`
+- `type` ← `greenhouse.audit.event.target_type` (`User`)
+
+Target user is not promoted to ECS `user.target.*`; performer (`99999`) and target (`12345`) are distinct.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Admin User (99999)"] --> E["data_change_update"]
+  E --> T["Target: User (12345)"]
+```
+
+### Example 2: Harvest API key accesses candidate record
+
+**Stream:** `greenhouse.audit` · **Fixture:** `packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json` (fixture 3)
+
+```
+API key (1001) → harvest_access → Candidate (123456)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 1001 |
+| type | service |
+| sub_type | api_key |
+| geo | Madrid, Spain |
+| ip | 203.0.113.42 |
+
+**Field sources:**
+
+- `id` ← `user.id` (API key performer mapped to ECS `user.id`)
+- `sub_type` ← `greenhouse.audit.performer.type` (`api_key`); `greenhouse.audit.performer.meta.api_key_type: harvest`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | harvest_access |
+| source_field | `event.action` |
+| source_value | `harvest_access` |
+
+Harvest API path `/v1/candidates/123456` is in `greenhouse.audit.request.type` but not mapped to `event.action`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 123456 |
+| type | general |
+| sub_type | candidate |
+
+**Field sources:**
+
+- `id` ← `greenhouse.audit.event.target_id`
+- `sub_type` ← `greenhouse.audit.event.target_type` (`Candidate`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: API key (1001)"] --> E["harvest_access"]
+  E --> T["Target: Candidate (123456)"]
+```
+
+### Example 3: HR Manager deletes job posting
+
+**Stream:** `greenhouse.audit` · **Fixture:** `packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json` (fixture 4)
+
+```
+HR Manager (55555) → data_change_destroy → Job (789)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 55555 |
+| name | HR Manager |
+| type | user |
+| ip | 172.16.0.100 |
+
+**Field sources:**
+
+- `id` ← `user.id`
+- `name` ← `user.full_name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | data_change_destroy |
+| source_field | `event.action` |
+| source_value | `data_change_destroy` |
+
+Granular Recruiting operation `jobs#destroy` is in `greenhouse.audit.request.type` but not mapped to `event.action`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 789 |
+| name | Software Engineer |
+| type | general |
+| sub_type | job |
+
+**Field sources:**
+
+- `id` ← `greenhouse.audit.event.target_id`
+- `name` ← `greenhouse.audit.event.meta.name` (deleted job title from before/after delta)
+- `sub_type` ← `greenhouse.audit.event.target_type` (`Job`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: HR Manager (55555)"] --> E["data_change_destroy"]
+  E --> T["Target: Job (789)"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `greenhouse`, single `data_stream/audit` with Tier A fixtures and ingest pipeline). Query-time extraction routes on **`data_stream.dataset == "greenhouse.audit"`** only. Pass 4 is **fill-gaps-only**: detection flags are query-time helpers; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` or valid **5-arg** / **7-arg** forms — never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a **condition**, not a fallback). Performer maps to actor `user.*` at ingest (human and API key); targets remain vendor-only under `greenhouse.audit.event.*` until promoted to `user.target.*` / `entity.target.*` in fallback branches. API key performers are semantically **service** actors (Pass 3) but ingest stores the key ID in `user.id` — `service.id` / `entity.type` actor normalization is documented in Gaps because `user.id` satisfies `actor_exists`.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `greenhouse.audit` | audit (Recruiting + Harvest API) | user / service (api_key) | user / general (resource by `target_type`) | full |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `greenhouse.audit.performer.id` → `user.id` | `data_stream.dataset == "greenhouse.audit"` | high | **ingest-only — no ES|QL** — pipeline `convert` to `user.id`; vendor `performer.id` not retained in Tier A fixtures |
+| `user.name` | `user.full_name` | `data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.performer.type == "user"` | high | **vendor fallback** — `CASE(user.name IS NOT NULL, user.name, …, user.full_name, null)`; ingest indexes display name as `user.full_name` |
+| `user.email` | `performer.meta.username` → `user.email` | `data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.performer.type == "user"` | high | **ingest-only — no ES|QL** — pipeline `set` from `performer.meta.username`; no query-time vendor path in fixtures |
+| `host.ip` | `source.ip` | `host.ip IS NOT NULL` → preserve; else `data_stream.dataset == "greenhouse.audit" AND source.ip IS NOT NULL` | high | **vendor fallback** — performer origin; `host.ip` not set at ingest; do not gate on `actor_exists` (`source.ip` satisfies `actor_exists` while `host.ip` is empty) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.target.id` | `greenhouse.audit.event.target_id` | `data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "User"` | high | **vendor fallback** — fixture 2: `12345` on `users#update`; actor `99999` unchanged |
+| `entity.target.id` | `greenhouse.audit.event.target_id` | `data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_id IS NOT NULL AND greenhouse.audit.event.target_type != "User"` | high | **vendor fallback** — Candidate, Job, OrganizationEmail |
+| `entity.target.type` | `greenhouse.audit.event.target_type` | `data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL` | high | **vendor fallback** — resource class or action display label |
+| `entity.target.name` | `greenhouse.audit.event.meta.name`, `greenhouse.audit.event.target_type` | `meta.name` present, or `target_id` null with `target_type` set | medium | **vendor fallback** — job title delta; label-only `action` events |
+| `entity.target.sub_type` | literals from `target_type` | `Candidate`, `Job`, `OrganizationEmail` | high | **semantic literal** in fallback — normalized sub_type |
+
+**Omitted (Gaps):** `user.target.name` (no `meta.name` on User fixture — role in `meta.role` only); `service.target.name` (platform not indexed); `service.id` / `entity.type` for `api_key` (blocked when `user.id` satisfies `actor_exists`).
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.email IS NOT NULL OR user.full_name IS NOT NULL
+    OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL OR entity.target.type IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` includes `user.full_name` (ingest display name) rather than `user.name`; it does **not** include `source.ip` (performer network origin is mapped to `host.ip` separately). Mapped columns use column-level preserve (`<col> IS NOT NULL` or `target_exists` / `action_exists` only where the flag matches the column). Ingest-only `user.id` / `user.email` have no ES|QL block. No ECS `*.target.*` at ingest today — `target_exists` is false on all Tier A fixtures; vendor fallbacks apply.
+
+### Optional classification helpers (when needed)
+
+`entity.target.sub_type` is set in the **target** `EVAL` fallback branch only (never `target.entity.type`).
+
+### Combined ES|QL — actor fields
+
+`user.id` and `user.email` omitted — ingest always populates them from `performer.id` / `performer.meta.username` with no alternate indexed vendor path (rule #10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.name IS NOT NULL, user.name, user.full_name, null)` (4 args — `user.full_name` is a **condition**). Right: **5-arg** `CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "greenhouse.audit" AND …, user.full_name, null)` or **3-arg** when `WHERE` scopes the stream. Do not use `CASE(actor_exists, host.ip, source.ip, null)` — `actor_exists` is true from `user.id` / `user.full_name` while `host.ip` is still empty.
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.performer.type == "user", user.full_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "greenhouse.audit" AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+`event.action` is populated at ingest from `greenhouse.audit.event.type` on all fixtures; fallback covers missing values only.
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.type IS NOT NULL, greenhouse.audit.event.type,
+    null
+  )
+```
+
+Granular `greenhouse.audit.request.type` (`users#update`, `/v1/candidates/123456`) is an ingest enhancement candidate (Pass 2) — not wired here to avoid overriding coarse `event.action` when present.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "User", greenhouse.audit.event.target_id,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_id IS NOT NULL AND greenhouse.audit.event.target_type != "User", greenhouse.audit.event.target_id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL, greenhouse.audit.event.target_type,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.meta.name IS NOT NULL, TO_STRING(greenhouse.audit.event.meta.name),
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL AND greenhouse.audit.event.target_id IS NULL, greenhouse.audit.event.target_type,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Candidate", "candidate",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Job", "job",
+    data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "OrganizationEmail", "organization_email",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.email IS NOT NULL OR user.full_name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL OR entity.target.type IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.performer.type == "user", user.full_name, null),
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "greenhouse.audit" AND source.ip IS NOT NULL, source.ip, null)
+| EVAL
+  event.action = CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.type IS NOT NULL, greenhouse.audit.event.type, null)
+| EVAL
+  user.target.id = CASE(user.target.id IS NOT NULL, user.target.id, data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "User", greenhouse.audit.event.target_id, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_id IS NOT NULL AND greenhouse.audit.event.target_type != "User", greenhouse.audit.event.target_id, null),
+  entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL, greenhouse.audit.event.target_type, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.meta.name IS NOT NULL, TO_STRING(greenhouse.audit.event.meta.name), data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type IS NOT NULL AND greenhouse.audit.event.target_id IS NULL, greenhouse.audit.event.target_type, null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Candidate", "candidate", data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "Job", "job", data_stream.dataset == "greenhouse.audit" AND greenhouse.audit.event.target_type == "OrganizationEmail", "organization_email", null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, host.ip, user.target.id, entity.target.id, entity.target.type, entity.target.name, entity.target.sub_type
+```
+
+### Streams excluded
+
+None — single audit stream only; no metrics or inventory datasets in this integration.
+
+### Gaps and limitations
+
+- **`user.id` / `user.email` ingest-only:** No ES|QL `CASE` — fallback would repeat the output column (`user.id` / `user.email`); `greenhouse.audit.performer.id` is not retained after pipeline `convert` in Tier A fixtures.
+- **API key → `service.id` / `entity.type`:** Ingest maps `api_key` performer to `user.id`; `actor_exists` is true, so preserve-first blocks query-time `service.id` / `entity.type` normalization — align with Pass 2 partial mapping; prefer ingest fix.
+- **`service.target.name` omitted:** Greenhouse ATS platform not indexed as `cloud.service.name`; literal `"Greenhouse"` is low-confidence semantic only.
+- **`user.target.name` omitted:** `users#update` fixture has `meta.role` delta, not `meta.name` — no defensible User target display name in Tier A fixtures.
+- **`action` events without `target_id`:** `target_type` may be a display label (`Global Email Added`) — `entity.target.name` falls back to `target_type` when ID absent.
+- **`greenhouse.audit.request.type` not mapped to `event.action`:** Granular verb stays vendor-only unless ingest enhancement lands (Pass 2 **yes**).
+- **`greenhouse_internal` performer type:** Documented in `fields.yml` but not in fixtures — `performer.type` guards may omit until production evidence.
+- **`entity.target.name` from meta arrays:** `meta.name` may be multivalue before/after delta — `TO_STRING` coerces for display; ingest normalization preferred.
+- **Pass 2 enhancement alignment:** Promoting `target_type` + `target_id` to `*.target.*` at ingest remains preferred; this block is query-time fill-gaps only.
+- **Pass 4 CASE syntax:** `user.name` / `host.ip` / `event.action` use column-level preserve (`<col> IS NOT NULL`); `host.ip` never gates on `actor_exists` (fixtures set `source.ip` without `host.ip`). Target columns use column-level preserve, not `CASE(target_exists, col, …)` alone. Pipeline fragment uses valid **3-arg** / **5-arg** forms scoped by `WHERE data_stream.dataset == "greenhouse.audit"`. No **4-arg** `CASE(col IS NOT NULL, col, bare_field, null)`.
diff --git a/dev/domain/p1/infoblox_bloxone_ddi.md b/dev/domain/p1/infoblox_bloxone_ddi.md
new file mode 100644
index 00000000000..1df77a07d7c
--- /dev/null
+++ b/dev/domain/p1/infoblox_bloxone_ddi.md
@@ -0,0 +1,504 @@
+# infoblox_bloxone_ddi
+
+## Product Domain
+
+Infoblox BloxOne DDI is Infoblox's cloud-native platform for DNS, DHCP, and IP address management (DDI)—the core network services that underpin all IP-based communication. BloxOne DDI centralizes authoritative DNS zones and resource records, DHCP lease lifecycle, and IPAM inventory in the Infoblox Cloud Services Portal (CSP), while on-premises BloxOne DDI Hosts can serve DNS protocol traffic at the edge. Organizations use it to automate address assignment, maintain accurate DNS authority, enforce consistent naming and zone policy, and gain visibility into how clients obtain and use IP addresses across hybrid and multi-site environments.
+
+The platform spans three tightly coupled domains. **DNS Data** holds authoritative zone content—A/AAAA, CNAME, MX, TXT, and other record types with TTL, inheritance, and view/zone metadata. **DNS Config** defines resolver and zone-serving policy: recursion, forwarders, DNSSEC validation, EDNS/ECS behavior, ACLs for query/update/transfer, and cache TTL limits. **DHCP Lease** tracks active and historical leases—assigned addresses, MAC and client identifiers, hostname, lease state and lifetime, fingerprinting, and IPAM space linkage. Together these datasets form the operational and security-relevant audit trail for DDI infrastructure: what names resolve, how DNS is configured, and which hosts hold which addresses.
+
+Security and network teams monitor BloxOne DDI to detect unauthorized DNS changes, track IP-to-host mappings for incident response, correlate DHCP activity with asset inventory, and validate that DNS/DHCP policy matches organizational standards. Because DNS and DHCP are high-value targets for lateral movement, persistence, and reconnaissance, visibility into BloxOne DDI state complements broader SIEM, NDR, and endpoint telemetry. The Elastic integration polls BloxOne DDI REST APIs (v1) from Elastic Agent and surfaces the data in ECS-aligned logs with bundled Kibana dashboards.
+
+## Data Collected (brief)
+
+Logs only (no metrics). Elastic Agent **httpjson** input polls the Infoblox Cloud Services Portal (`https://csp.infoblox.com` by default) with an API key. Three data streams:
+
+| Data stream | Description |
+|---|---|
+| **dns_data** | Authoritative DNS resource records—zone/view, record type, RDATA (addresses, CNAME, MX, etc.), TTL, inheritance, disabled state, and timestamps |
+| **dns_config** | DNS view/resolver configuration—recursion, forwarders, DNSSEC, ECS/EDNS, ACLs (query, recursion, transfer, update), cache TTLs, and zone authority SOA fields |
+| **dhcp_lease** | DHCP lease events—assigned IP, MAC/hardware address, client ID, hostname, lease start/end, state, protocol (IPv4/IPv6), fingerprint, HA group, and IPAM space |
+
+Events are mapped to ECS (`dns.*`, `host.*`, `client.*`, `network.*`, `event.*`, `related.*`) with full vendor detail under `infoblox_bloxone_ddi.*`. Collection is poll-based with configurable interval and initial lookback (default 24h / 1m).
+
+## Expected Audit Log Entities
+
+This integration does **not** ingest Infoblox CSP audit or admin-activity logs. All three data streams (`dns_data`, `dns_config`, `dhcp_lease`) poll BloxOne DDI REST API inventory endpoints via **httpjson** and emit periodic state snapshots—authoritative DNS records, DNS view/resolver configuration, and active DHCP leases. Events describe **what exists** in DDI at poll time, not **who changed it**. Actor/target semantics below are **inventory-oriented** and audit-adjacent; pair with a separate CSP audit source for audit-grade identity. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated (`dev/target-fields-audit/out/target_fields_audit.csv` has no `infoblox_bloxone_ddi` row). The package does not appear in `dev/target-fields-audit/out/destination_identity_hits.csv` (no `destination.user.*` / `destination.host.*` pipeline usage). Target-fields audit classified this package as **`moderate_candidate`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`: `fixture_strong=true`, no pipeline actor/target/destination identity heuristics).
+
+**`event.action` is absent in all streams** — no fixture populates it and no ingest pipeline maps to it. Pipelines statically set `event.category: [network]` and `event.type: [protocol]` on every stream; those are classification metadata, not operation verbs. Vendor fields named `action` (inheritance blocks) and `state`/`type` (DHCP lease) describe configuration inheritance or inventory state, not auditable operations.
+
+**Event action (Step 2b per stream):**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **dns_data** | no | no | n/a — no per-event action (DNS record inventory sync) | high | Static `event.category: [network]`, `event.type: [protocol]` only (`dns_data/.../default.yml` L8–15); no vendor operation/action field on record objects |
+| **dns_config** | no | no | n/a — no per-event action (DNS view config inventory sync) | high | Same static ECS event fields (`dns_config/.../default.yml` L8–15); view objects synced, not mutated in-event |
+| **dhcp_lease** | no | no | n/a — no per-event action (DHCP lease inventory sync) | high | Static `event.category`/`event.type` (`dhcp_lease/.../default.yml` L8–15); `state`/`type` vendor fields describe lease snapshot, not DHCP transaction verbs |
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| (no per-event action) | inventory | high | Static `event.kind: event`, `event.category: [network]`, `event.type: [protocol]` on all streams | **dns_data**, **dns_config**, **dhcp_lease** — poll-based state sync; no logged create/update/delete verb |
+| `inherit` / `override` (inheritance metadata) | configuration_change | low | `infoblox_bloxone_ddi.dns_data.inheritance.sources.ttl.action: "inherit"` in `test-pipeline-dns-data.log-expected.json`; `infoblox_bloxone_ddi.dns_config.inheritance.sources.*.action: "inherit"` / `"override"` in `dns_config/sample_event.json` | **dns_data**, **dns_config** — per-setting inheritance mode on a config block, not an event-level operation; multiple values per document |
+| `STATIC` (record source) | configuration_change | low | `infoblox_bloxone_ddi.dns_data.source: ["STATIC"]` in fixtures | **dns_data** — record creation origin enum, not a poll-time action |
+| `used` (lease state) | inventory | moderate | `infoblox_bloxone_ddi.dhcp_lease.state: "used"` in `test-pipeline-dhcp-lease.log-expected.json` (event 2–3) | **dhcp_lease** — current lease lifecycle state at poll time, not a DHCP assign/renew/release event |
+| `DHCPv4: DHCPv4 lease` (lease type label) | inventory | moderate | `infoblox_bloxone_ddi.dhcp_lease.type` in fixture event 2 | **dhcp_lease** — descriptive lease category string, not an operation name |
+
+None of the vendor fields above represent a true audit verb (who performed what operation). For correlation with change detection, compare successive poll snapshots or ingest Infoblox CSP audit logs separately.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no (all streams) | n/a | n/a — not populated | yes | Absent from `sample_event.json`, all `*-expected.json`, and all three `default.yml` pipelines (grep confirms no `event.action` set/rename) |
+| `event.category` | no | n/a | n/a — not a substitute for action | no | Static `[network]` (`default.yml` L11–12 on each stream); classification only |
+| `event.type` | no | n/a | n/a — not a substitute for action | no | Static `[protocol]` (`default.yml` L14–15); classification only |
+| `infoblox_bloxone_ddi.dns_data.type` | no | n/a | n/a — DNS RR type (`AAAA`, …), not operation | no | `json.type` → vendor field → `dns.question.type` / `dns.answers.type` (`dns_data/.../default.yml` L374–424); e.g. `"AAAA"` in fixtures |
+| `infoblox_bloxone_ddi.dns_data.source` | no | n/a | n/a — record origin enum, not operation | no | `json.source` → vendor (`default.yml` L360–361); e.g. `["STATIC"]` — describes how record was created, not poll action |
+| `infoblox_bloxone_ddi.dns_data.inheritance.sources.*.action` | no | n/a | n/a — per-field inheritance mode | no | e.g. `"inherit"` on TTL block (`default.yml` L99); config metadata, not event verb |
+| `infoblox_bloxone_ddi.dns_config.inheritance.sources.*.action` | no | n/a | n/a — per-setting inheritance mode | no | `"inherit"`, `"override"` throughout `dns_config/.../default.yml` (e.g. L391–413); not mappable to single `event.action` per document |
+| `infoblox_bloxone_ddi.dhcp_lease.state` | no | partial | `used` (if forced) | yes | `json.state` → vendor (`dhcp_lease/.../default.yml` L200–201); lease state snapshot — could label inventory as `lease-state-used` but does not capture assign/renew/release |
+| `infoblox_bloxone_ddi.dhcp_lease.type` | no | partial | `DHCPv4: DHCPv4 lease` (if forced) | yes | `json.type` → vendor (L204–205); descriptive type string in fixture event 2 — poor fit for `event.action` |
+| (static inventory label) | no | n/a | `inventory-sync` (recommended if enhancement added) | yes | No vendor operation field exists; a pipeline `set: event.action: inventory-sync` (or stream-specific `dns-record-sync`, `dns-config-sync`, `dhcp-lease-sync`) would at least distinguish inventory polls from true audit events |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| DHCP client (lease holder) | host | — | moderate | `client.user.id` ← `json.client_id`; `host.name`/`host.hostname` ← `json.host`/`json.hostname`; `infoblox_bloxone_ddi.dhcp_lease.hardware` (normalized MAC) | **`dhcp_lease`** only — endpoint that obtained the lease; no human/admin principal |
+| Configuration provenance object | general | config-source | low | `infoblox_bloxone_ddi.dns_data.source` (e.g. `STATIC`), `inheritance.sources.*.source` / `.display.name` | **`dns_data`**, **`dns_config`** — describes where a setting was inherited from, not an interactive actor |
+| ACL / forwarder peer | host | — | low | `query_acl.address`, `forwarders.address`, `match_clients_acl.address` in vendor namespace | **`dns_config`** — policy peers referenced by the view, not principals of a logged action |
+
+**No audit actor:** `dns_data` and `dns_config` carry no ECS `user.*`, `source.*`, or admin identity. **`dhcp_lease`** has no operator who granted the lease—only the client endpoint. **`agent.*` / `elastic_agent.*`** identify the Elastic Agent poller, not a BloxOne DDI operator.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `client.user.id` | DHCP client identifier | yes (`dhcp_lease`) | partial | moderate | `json.client_id` → `client.user.id` (`dhcp_lease/elasticsearch/ingest_pipeline/default.yml` L49–55); populated when non-empty (`sample_event.json`, `test-pipeline-dhcp-lease.log-expected.json`); omitted when `client_id` is empty (third pipeline test) — DHCP client ID stored under ECS **client** user field, not `user.id` |
+| `host.name` | DHCP client host resource path | yes (`dhcp_lease`) | yes | high | `json.host` → `host.name` (pipeline L95–101); e.g. `"admin"`, `"dhcp/host/123456"` in fixtures |
+| `host.hostname` | DHCP client FQDN / hostname option | yes (`dhcp_lease`) | yes | high | `json.hostname` → `host.hostname` (pipeline L109–115); e.g. `"Host1"`, `"system_name.contoso.com"` |
+| `infoblox_bloxone_ddi.dhcp_lease.client_id` | Vendor DHCP client ID | yes (with `preserve_duplicate_custom_fields`) | n/a | high | Renamed from `json.client_id`; duplicate of `client.user.id` when both retained |
+| `infoblox_bloxone_ddi.dhcp_lease.hardware` | Client MAC / hardware address | yes | n/a | high | `json.hardware` normalized (gsub `:`/`.` → `-`, uppercase); host endpoint identifier, vendor-only |
+| `infoblox_bloxone_ddi.dhcp_lease.fingerprint.*` | Client OS/device fingerprint | yes | n/a | moderate | Vendor-only DHCP fingerprint strings |
+| `infoblox_bloxone_ddi.dns_data.source` | Record creation source enum | yes | n/a | low | e.g. `["STATIC"]` in `sample_event.json` — config origin, not security principal |
+| `infoblox_bloxone_ddi.dns_data.inheritance.sources.*` | Inherited-setting provenance | yes | n/a | low | `source`, `display.name`, `action` on TTL and other blocks — policy inheritance metadata |
+| `infoblox_bloxone_ddi.dns_config.inheritance.sources.*` | View-setting provenance | yes | n/a | low | Same pattern across ACL, forwarder, DNSSEC blocks in `dns_config` pipeline |
+| `agent.id`, `agent.name` | Elastic Agent collector | yes | n/a | high | `data_stream/*/fields/agent.yml` — collection context, not event actor |
+
+No ECS `user.*`, `source.ip`, or `related.user` populated in any stream fixture.
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Infoblox BloxOne DDI (CSP) | BloxOne DDI SaaS platform | service | — | low | Product context only — no `cloud.service.name` or `service.name` set by pipelines | All streams — implied collection target, not mapped |
+| 2 — Resource / object | Authoritative DNS resource record | DNS RR in zone/view | general | dns-record | high | `event.id`, `dns.question.*`, `infoblox_bloxone_ddi.dns_data.zone`/`view`/`view_name` | **`dns_data`** — inventory object keyed by record ID |
+| 2 — Resource / object | DNS view / resolver configuration | DNS view | service | — | high | `event.id` (view resource path), `infoblox_bloxone_ddi.dns_config.name`, `ip_spaces` | **`dns_config`** — e.g. `"dns/view/01234567-..."` in pipeline tests |
+| 2 — Resource / object | DHCP-leased endpoint | Client host / IP allocation | host | — | high | `infoblox_bloxone_ddi.dhcp_lease.address` → `related.ip`; `host.name`/`host.hostname` | **`dhcp_lease`** — assigned address is primary inventory target |
+| 3 — Content / artifact | DNS RDATA payload | Record answer data (A/CNAME/MX/SRV…) | general | dns-rdata | high | `dns.answers.data`/`type`/`ttl`; `infoblox_bloxone_ddi.dns_data.rdata.*` | **`dns_data`** — answer content, not a separate security entity |
+| 3 — Content / artifact | Lease lifecycle snapshot | Active lease state and timestamps | general | dhcp-lease-state | high | `event.start`, `event.end`, `infoblox_bloxone_ddi.dhcp_lease.state`/`type` | **`dhcp_lease`** — lease period and state at poll time |
+
+Supplementary **host** references in **`dns_config`**: forwarders, custom root NS, and ACL entries (`forwarders.fqdn`, `custom_root_ns.fqdn`, `query_acl.address`) are policy peers, not primary inventory targets. Supplementary **general** (entity type: ipam-scope) via `infoblox_bloxone_ddi.dhcp_lease.space` and `ha_group` path strings.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `event.id` | 2 | general | yes (all streams) | yes | context-only | no | `json.id` → `event.id` in each pipeline; record/view resource ID |
+| `dns.question.name` | 2 | general | yes (`dns_data`) | yes | context-only | no | `infoblox_bloxone_ddi.dns_data.absolute.name.spec` → `dns.question.name` (pipeline L427–429) |
+| `dns.question.registered_domain` | 2 | general | yes (`dns_data`) | yes | context-only | no | From `absolute.zone.name` |
+| `dns.question.subdomain` | 2 | general | yes (`dns_data`) | yes | context-only | no | From `name_in.zone` |
+| `dns.question.type` | 2 | general | yes (`dns_data`) | yes | context-only | no | From record `type` |
+| `dns.answers.data` / `.type` / `.ttl` | 3 | general | yes (`dns_data`) | yes | context-only | no | From `rdata_value`, `type`, `ttl` |
+| `related.ip` | 2 | host | yes (all streams) | partial | context-only | no | Appended from RDATA addresses, ACL/forwarder IPs, lease address — enrichment array, not explicit target |
+| `infoblox_bloxone_ddi.dns_data.id` | 2 | general | yes | n/a | context-only | no | Vendor record ID; also copied to `event.id` then removed unless `preserve_duplicate_custom_fields` |
+| `infoblox_bloxone_ddi.dns_data.zone` / `.view` / `.view_name` | 2 | general | yes | n/a | context-only | no | Zone/view scope for the record |
+| `infoblox_bloxone_ddi.dns_data.rdata.address` | 2 | host | yes | n/a | context-only | no | A/AAAA RDATA IP — referenced host in record content |
+| `infoblox_bloxone_ddi.dns_data.rdata.cname` / `.exchange` | 3 | general | yes | n/a | context-only | no | CNAME/MX RDATA targets in DNS semantics |
+| `infoblox_bloxone_ddi.dns_data.rdata.target` | 3 | general | yes | n/a | context-only | no | SRV/NAPTR **DNS RDATA** target hostname (e.g. `"."` in pipeline test) — not an ECS entity target; flagged in `out/vendor_target_special_cases.csv` |
+| `infoblox_bloxone_ddi.dns_config.name` | 2 | service | yes | n/a | context-only | no | DNS view display name |
+| `infoblox_bloxone_ddi.dns_config.ip_spaces` | 2 | general | yes | n/a | context-only | no | Linked IPAM space path strings |
+| `infoblox_bloxone_ddi.dns_config.zone_authority.*` | 3 | general | yes | n/a | context-only | no | SOA authority fields on the view |
+| `infoblox_bloxone_ddi.dhcp_lease.address` | 2 | host | yes | n/a | context-only | yes | Assigned lease IP → `related.ip`; inventory subject; candidate for `host.target.ip` if audit semantics added |
+| `host.name`, `host.hostname` | 2 | host | yes (`dhcp_lease`) | partial | context-only | yes | Overlap with actor — leased endpoint identity; candidate for `host.target.name` |
+| `related.hosts` | 2 | host | yes (`dhcp_lease`) | partial | context-only | no | Appended from `host.name` and `host.hostname` |
+| `infoblox_bloxone_ddi.dhcp_lease.space` / `.ha_group` | 2 | general | yes | n/a | context-only | no | IPAM space and HA group resource paths |
+| `event.start`, `event.end` | 3 | general | yes (`dhcp_lease`) | yes | context-only | no | Lease period from `starts`/`ends` |
+
+No `destination.user.*`, `destination.host.*`, or official ECS `*.target.*` fields anywhere in the package.
+
+### Gaps and mapping notes
+
+- **Inventory sync, not audit events:** All three streams poll REST inventory APIs. No caller, session, or mutation outcome is recorded. Pair with Infoblox CSP audit logging for who-changed-what.
+- **`event.action` gap on all streams:** No pipeline mapping and no fixture population. Vendor data lacks a true operation field; `event.category`/`event.type` are static network/protocol labels and must not substitute for `event.action`. If enhancement is desired, add stream-specific static values (`dns-record-sync`, `dns-config-sync`, `dhcp-lease-sync`) or derive change verbs externally by diffing successive polls.
+- **`infoblox_bloxone_ddi.dhcp_lease.state` / `.type` are state descriptors, not actions:** `state: "used"` and `type: "DHCPv4: DHCPv4 lease"` describe the lease snapshot at poll time — poor candidates for `event.action` without a true DHCP transaction log (assign, renew, release).
+- **Inheritance `action` fields are config metadata:** `inherit` / `override` on `inheritance.sources.*` blocks appear many times per `dns_config` document and describe per-setting inheritance mode, not a single auditable operation.
+- **`client.user.id` for DHCP client ID:** Pipeline maps `json.client_id` to ECS `client.user.id` — semantically a DHCP client identifier on a **host** endpoint, not an interactive user principal (`partial` mapping).
+- **Actor/target overlap on `dhcp_lease`:** The same `host.name`/`host.hostname`/`related.ip` fields describe both the DHCP client (actor) and the leased endpoint (target). No disambiguation in ECS today.
+- **`infoblox_bloxone_ddi.dns_data.rdata.target` homonym:** Vendor field name contains "target" but holds SRV/NAPTR DNS RDATA hostnames — not an audit entity target (`vendor_target_special_cases.csv`).
+- **Inheritance and `source` metadata not promoted to actor ECS:** `inheritance.sources.*.source`/`display.name` and `dns_data.source` (e.g. `STATIC`) could hint at config provenance but are not mapped to `user.*` or `related.user`.
+- **No `cloud.service.name`:** Layer 1 platform service (BloxOne DDI CSP) is implied by product context only; pipelines set `event.category: [network]`, `event.type: [protocol]` — no SaaS/cloud ECS fields.
+- **ACL/forwarder IPs in `related.ip`:** `dns_config` appends policy peer addresses to `related.ip` for correlation — network/policy context, not de-facto audit targets.
+- **Target-fields audit alignment:** Classified **`moderate_candidate`** with strong fixtures but no existing ECS target-tier-A, destination identity, or pipeline actor heuristics. Official `*.target.*` migration would apply mainly to `dhcp_lease` host/IP inventory subjects if audit semantics were introduced.
+
+### Per-stream notes
+
+#### dns_data
+
+Polls authoritative DNS resource records. Richest DNS ECS mapping: `dns.question.*` and `dns.answers[]` from record metadata and RDATA. `event.id` is the record resource ID. **No `event.action`.** Static `event.category: [network]`, `event.type: [protocol]`. `infoblox_bloxone_ddi.dns_data.type` is the DNS RR type (e.g. `AAAA`), not an operation. `infoblox_bloxone_ddi.dns_data.source` and inheritance blocks describe static/import provenance, not actors or poll-time actions. RDATA may embed referenced hosts (`rdata.address`, `rdata.cname`, `rdata.exchange`, `rdata.target`).
+
+#### dns_config
+
+Polls DNS view/resolver configuration objects. `event.id` is the view resource path (e.g. `"dns/view/01234567-89ab-cdef-fedc-ba9876543210"`). **No `event.action`.** Inheritance `action` values (`inherit`, `override`) are per-setting metadata scattered across ACL, forwarder, DNSSEC, and cache blocks — not event-level verbs. ACL arrays (`query_acl`, `recursion_acl`, `transfer_acl`, `update_acl`, `match_clients_acl`, `match_destinations_acl`), forwarders, and DNSSEC settings are configuration content—not network flow peers. `related.ip` and `related.hash` aggregate peer IPs and TSIG algorithms for search.
+
+#### dhcp_lease
+
+Polls active DHCP lease inventory. Strongest actor/target identity: `client.user.id`, `host.name`, `host.hostname`, normalized MAC (`hardware`), assigned IP (`address` → `related.ip`), lease lifecycle (`event.start`/`event.end`, `state`). **No `event.action`.** `infoblox_bloxone_ddi.dhcp_lease.state` (e.g. `"used"`) and `.type` (e.g. `"DHCPv4: DHCPv4 lease"`) are inventory state labels, not DHCP transaction verbs. Third pipeline test shows empty `client_id` omits `client.user.id` while `host.*` and hardware remain. `options` holds raw DHCP option payloads (vendor-parsed JSON).
+
+## Example Event Graph
+
+Examples below come from all three data streams (`dns_data`, `dns_config`, `dhcp_lease`). These are **audit-adjacent inventory snapshots** polled from BloxOne DDI REST APIs—not CSP admin audit logs. No fixture populates `event.action`; derived action labels describe poll-time inventory semantics and are **not mapped to ECS today**.
+
+### Example 1: DHCP client holds active lease
+
+**Stream:** `infoblox_bloxone_ddi.dhcp_lease` · **Fixture:** `packages/infoblox_bloxone_ddi/data_stream/dhcp_lease/_dev/test/pipeline/test-pipeline-dhcp-lease.log-expected.json` (event 2)
+
+```
+DHCP client (abc3212caabc / example.com) → lease-state-used → IP lease 81.2.69.192
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | abc3212caabc |
+| name | example.com |
+| type | host |
+
+**Field sources:**
+- `id ← client.user.id` (from `json.client_id`)
+- `name ← host.hostname`
+- `host.name` (`admin`) is the DHCP host label on the lease record — client identity, not the lease resource
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | lease-state-used |
+| source_field | `infoblox_bloxone_ddi.dhcp_lease.state` |
+| source_value | `used` |
+
+**Not mapped to ECS today** — `state` is a lease lifecycle snapshot at poll time, not a DHCP assign/renew/release verb.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 81.2.69.192 |
+| type | general |
+| sub_type | ip_lease |
+| ip | 81.2.69.192 |
+
+**Field sources:**
+- `id` / `ip` ← `infoblox_bloxone_ddi.dhcp_lease.address` (also in `related.ip`)
+- `sub_type` ← `infoblox_bloxone_ddi.dhcp_lease.type` (`DHCPv4: DHCPv4 lease`)
+
+Inventory poll — client identity and assigned IP share one lease row; target is the leased address resource, not the client host entity.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: example.com"] --> E["lease-state-used"]
+  E --> T["Target: IP lease 81.2.69.192"]
+```
+
+### Example 2: Static AAAA record in authoritative zone
+
+**Stream:** `infoblox_bloxone_ddi.dns_data` · **Fixture:** `packages/infoblox_bloxone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json` (event 2)
+
+```
+Config source STATIC → dns-record-sync → AAAA record Test name
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | STATIC |
+| type | general |
+| sub_type | config-source |
+
+**Field sources:**
+- `name ← infoblox_bloxone_ddi.dns_data.source[0]`
+
+No interactive admin or DHCP client—record origin enum stands in for configuration provenance only.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | dns-record-sync |
+| source_field | `event.category` |
+| source_value | `["network"]` |
+
+**Not mapped to ECS today** — static poll classification only; no vendor operation field exists on record objects.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 12abcddcba32ab |
+| name | Test name |
+| type | general |
+| sub_type | dns-record |
+
+**Field sources:**
+- `id ← event.id` (record resource ID)
+- `name ← dns.question.name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: STATIC"] --> E["dns-record-sync"]
+  E --> T["Target: Test name (AAAA)"]
+```
+
+### Example 3: DNS view resolver configuration snapshot
+
+**Stream:** `infoblox_bloxone_ddi.dns_config` · **Fixture:** `packages/infoblox_bloxone_ddi/data_stream/dns_config/_dev/test/pipeline/test-pipeline-dns-config.log-expected.json` (event 3)
+
+```
+(no audit actor) → dns-config-sync → DNS view default-Contoso
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | general |
+
+**Field sources:** No ECS `user.*`, `client.*`, or admin identity in fixture—inventory poll only; actor node omitted beyond entity class.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | dns-config-sync |
+| source_field | `event.type` |
+| source_value | `["protocol"]` |
+
+**Not mapped to ECS today** — static poll classification; `inheritance.sources.*.action` values (`inherit`/`override`) are per-setting metadata, not event-level verbs.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | dns/view/01234567-89ab-cdef-fedc-ba9876543210 |
+| name | default-Contoso |
+| type | service |
+
+**Field sources:**
+- `id ← event.id` (DNS view resource path)
+- `name ← infoblox_bloxone_ddi.dns_config.name`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: (inventory poll)"] --> E["dns-config-sync"]
+  E --> T["Target: default-Contoso"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (Elastic Agent **httpjson**; three data streams in `manifest.yml`). Router: **`data_stream.dataset`** (`infoblox_bloxone_ddi.dns_data`, `infoblox_bloxone_ddi.dns_config`, `infoblox_bloxone_ddi.dhcp_lease`). Poll-based REST **inventory snapshots** — not CSP admin audit logs. Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` — valid **3-arg**, **5-arg**, or **7-arg** forms only — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` and never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a boolean condition). No ECS `*.target.*` at ingest today; fallbacks promote inventory subjects per Pass 3 (`dhcp_lease` leased IP, `dns_data` RR, `dns_config` DNS view). **`dhcp_lease`** actor identity uses ingest `host.name` / `host.hostname` / `client.user.id` (not `user.*`). **`dns_config`** has no actor fallback. **`host.name`** omitted from actor `EVAL` — ingest-only (`json.host`); `actor_exists` still includes `host.name IS NOT NULL`.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `infoblox_bloxone_ddi.dns_data` | DNS record inventory | general (config-source) | general (dns-record) | partial |
+| `infoblox_bloxone_ddi.dns_config` | DNS view config inventory | — | service (dns view) | partial |
+| `infoblox_bloxone_ddi.dhcp_lease` | DHCP lease inventory | host | host (leased IP) | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.name` | — | `data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease"` | high | **ingest-only — no ES\|QL** — `json.host` → `host.name` (`dhcp_lease/.../default.yml` L95–101); no alternate query-time source |
+| `entity.id` | `client.user.id` | `data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND client.user.id IS NOT NULL` | moderate | **vendor fallback** — DHCP client ID in `client` namespace (Pass 3) |
+| `entity.name` | `host.hostname` | `data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL` | high | **vendor fallback** — client FQDN when `entity.name` empty |
+| `entity.type` | literal `"host"` | `data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease"` | high | **semantic literal** |
+| `entity.name` | `MV_FIRST(infoblox_bloxone_ddi.dns_data.source)` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL` | low | **vendor fallback** — array field (e.g. `STATIC` in fixtures); config provenance, not principal |
+| `entity.type` | literal `"general"` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL` | low | **semantic literal** |
+| `entity.sub_type` | literal `"config-source"` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL` | low | **semantic literal** |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.id` | `entity.target.id` | `entity.target.id IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.id` | `event.id` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_data"` | high | **vendor fallback** — record resource ID |
+| `entity.target.id` | `event.id` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_config"` | high | **vendor fallback** — view resource path |
+| `entity.target.name` | `entity.target.name` | `entity.target.name IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.name` | `dns.question.name` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_data"` | high | **vendor fallback** — RR name (Pass 3) |
+| `entity.target.name` | `infoblox_bloxone_ddi.dns_config.name` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_config"` | high | **vendor fallback** — view display name |
+| `entity.target.type` | `entity.target.type` | `entity.target.type IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.type` | literal `"general"` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_data"` | high | **semantic literal** |
+| `entity.target.type` | literal `"service"` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_config"` | medium | **semantic literal** — DNS view (Pass 3) |
+| `entity.target.sub_type` | `entity.target.sub_type` | `entity.target.sub_type IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.sub_type` | literal `"dns-record"` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_data"` | high | **semantic literal** |
+| `entity.target.sub_type` | literal `"ip_lease"` | `data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease"` | high | **semantic literal** — Pass 3 leased-address resource |
+| `host.target.ip` | `host.target.ip` | `host.target.ip IS NOT NULL` | high | **column-level preserve** |
+| `host.target.ip` | `infoblox_bloxone_ddi.dhcp_lease.address` | `data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease"` | high | **vendor fallback** — assigned lease IP (fixture event 2) |
+| `host.target.name` | `host.target.name` | `host.target.name IS NOT NULL` | high | **column-level preserve** |
+| `host.target.name` | `host.hostname` | `data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL` | high | **vendor fallback** — overlaps client hostname on same row (Pass 2) |
+| `service.target.name` | `service.target.name` | `service.target.name IS NOT NULL` | high | **column-level preserve** |
+| `service.target.name` | `infoblox_bloxone_ddi.dns_config.name` | `data_stream.dataset == "infoblox_bloxone_ddi.dns_config"` | high | **vendor fallback** — parallel to `entity.target.name` for service-class queries |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` includes **`client.user.id`** and **`host.hostname`** (DHCP client identity is not under `user.*`). `user.*` omitted — never indexed. `target_exists` checks official `*.target.*` only (ingest does not populate them today). **Actor/target `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so e.g. `host.name` on `dhcp_lease` does not block `entity.id` ← `client.user.id` when `entity.id` is empty (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Use **5-arg** `CASE(entity.id IS NOT NULL, entity.id, data_stream.dataset == "…", client.user.id, null)` — not **4-arg** `CASE(actor_exists, entity.id, client.user.id, null)` (`client.user.id` is a **condition**, not a value).
+
+```esql
+| EVAL
+  actor_exists = client.user.id IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL OR host.hostname IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+Omitted from actor `EVAL` (ingest-only — no alternate query-time source): `host.name`.
+
+```esql
+| EVAL
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL, host.hostname,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, MV_FIRST(infoblox_bloxone_ddi.dns_data.source),
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", "host",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, "general",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, "config-source",
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", event.id,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", event.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", dns.question.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", infoblox_bloxone_ddi.dns_config.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", "general",
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_data", "dns-record",
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", "ip_lease",
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", infoblox_bloxone_ddi.dhcp_lease.address,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL, host.hostname,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "infoblox_bloxone_ddi.dns_config", infoblox_bloxone_ddi.dns_config.name,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = client.user.id IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL OR host.hostname IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  entity.id = CASE(entity.id IS NOT NULL, entity.id, data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND client.user.id IS NOT NULL, client.user.id, null),
+  entity.name = CASE(entity.name IS NOT NULL, entity.name, data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL, host.hostname, data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, MV_FIRST(infoblox_bloxone_ddi.dns_data.source), null),
+  entity.type = CASE(entity.type IS NOT NULL, entity.type, data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", "host", data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, "general", null),
+  entity.sub_type = CASE(entity.sub_type IS NOT NULL, entity.sub_type, data_stream.dataset == "infoblox_bloxone_ddi.dns_data" AND infoblox_bloxone_ddi.dns_data.source IS NOT NULL, "config-source", null)
+| EVAL
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "infoblox_bloxone_ddi.dns_data", event.id, data_stream.dataset == "infoblox_bloxone_ddi.dns_config", event.id, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "infoblox_bloxone_ddi.dns_data", dns.question.name, data_stream.dataset == "infoblox_bloxone_ddi.dns_config", infoblox_bloxone_ddi.dns_config.name, null),
+  entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset == "infoblox_bloxone_ddi.dns_data", "general", data_stream.dataset == "infoblox_bloxone_ddi.dns_config", "service", null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "infoblox_bloxone_ddi.dns_data", "dns-record", data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", "ip_lease", null),
+  host.target.ip = CASE(host.target.ip IS NOT NULL, host.target.ip, data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease", infoblox_bloxone_ddi.dhcp_lease.address, null),
+  host.target.name = CASE(host.target.name IS NOT NULL, host.target.name, data_stream.dataset == "infoblox_bloxone_ddi.dhcp_lease" AND host.hostname IS NOT NULL, host.hostname, null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "infoblox_bloxone_ddi.dns_config", infoblox_bloxone_ddi.dns_config.name, null)
+| KEEP @timestamp, data_stream.dataset, host.name, entity.id, entity.name, entity.target.id, entity.target.name, host.target.ip, service.target.name
+```
+
+### Streams excluded
+
+*(none — all three streams are inventory polls with partial actor/target promotion)*
+
+### Gaps and limitations
+
+- **Not audit events** — no admin caller, session, or mutation verb; pair with Infoblox CSP audit for who-changed-what.
+- **`host.name` ES|QL** — **ingest-only** on `dhcp_lease`; do not emit `CASE(actor_exists, host.name, host.name, null)` or dataset-routed `host.name` fallback (identity no-op; `actor_exists` already includes `host.name IS NOT NULL`).
+- **`event.action` omitted** — absent in all fixtures and pipelines; `dhcp_lease.state` / `.type` and inheritance `action` are state/metadata, not operations (Pass 2). Ingest enhancement (`dns-record-sync`, `dhcp-lease-sync`, …) preferred over ES|QL guessing.
+- **`client.user.id` vs `user.id`** — DHCP client ID stays in `client`; promoted to `entity.id` only when `entity.id` empty and `actor_exists` false.
+- **Column-level preserve (§10)** — `actor_exists` / `target_exists` are helpers only; each column uses `<col> IS NOT NULL` as the first `CASE` branch so `host.name` does not block `entity.id` ← `client.user.id`. Anti-pattern: `CASE(actor_exists, entity.id, client.user.id, null)` (4 args — `client.user.id` is a condition).
+- **`client.user.id` queries** — use `client.user.id` directly when `entity.id` promotion is not needed; column-level preserve skips fallback only when `entity.id` is already non-null.
+- **Actor/target overlap on `dhcp_lease`** — `host.hostname` may populate both client context and `host.target.name` (Pass 3 Example 1).
+- **`infoblox_bloxone_ddi.dns_data.rdata.target`** — SRV/NAPTR RDATA homonym; not mapped (`vendor_target_special_cases.csv`).
+- **`user.*`, `user.email`, `user.domain`, `host.ip` (actor)** — not indexed in any stream fixture.
+- **`cloud.service.name` / Layer 1 platform** — BloxOne CSP implied only; no pipeline mapping.
+- **Pass 2 enhancement alignment** — official `*.target.*` at ingest remains the long-term fix; this block is query-time fill-gaps only.
diff --git a/dev/domain/p1/jamf_pro.md b/dev/domain/p1/jamf_pro.md
new file mode 100644
index 00000000000..9d834907f7b
--- /dev/null
+++ b/dev/domain/p1/jamf_pro.md
@@ -0,0 +1,485 @@
+# jamf_pro
+
+## Product Domain (Jamf Pro Apple MDM)
+
+Jamf Pro is an enterprise Apple device management platform (Mobile Device Management, MDM) used to deploy, configure, secure, and maintain Mac computers, iPhones, iPads, and Apple TV devices at scale. Organizations rely on Jamf Pro to enroll devices through Automated Device Enrollment (ADE/DEP), push configuration profiles and policies, manage software patching, enforce security baselines, and maintain an authoritative inventory of their Apple fleet. The platform centers on the Jamf Pro Server (historically JSS), which communicates with managed endpoints via the Jamf agent and Apple MDM protocols.
+
+Core concepts in the Jamf Pro domain include computers and mobile devices (identified by UDID, serial number, and management ID), smart groups and static groups for targeting, configuration profiles, policies, patch management, and user/location metadata tied to hardware assets. Devices report check-ins and inventory updates; administrators trigger remote commands, policy runs, and patch deployments. Jamf Pro also exposes a REST API (OAuth2 client credentials) for programmatic access and supports webhooks that push real-time notifications when significant lifecycle or operational events occur.
+
+From a security and operations perspective, Jamf Pro generates two primary telemetry types: periodic computer inventory snapshots and event-driven webhook notifications. Inventory captures hardware, OS, security posture (FileVault, SIP, Gatekeeper, firewall), installed applications, user accounts, disk encryption, and optional sections such as configuration profiles and group memberships. Webhook events cover device enrollment and check-in, policy and patch completion, smart group membership changes, mobile device lifecycle, REST API operations, SCEP challenges, and Jamf server startup/shutdown. Security teams use this data to monitor fleet compliance, detect enrollment anomalies, track policy execution, and correlate Apple endpoint activity with broader SIEM investigations.
+
+The Elastic Jamf Pro integration ingests both streams via Elastic Agent: inventory is polled from the `/v1/computers-inventory` API (CEL input), and events are received passively from Jamf Pro webhooks over an HTTP endpoint listener. Data is normalized into ECS-aligned fields with Kibana dashboards for inventory overview, hardware details, geographic distribution, and real-time webhook activity.
+
+## Data Collected (brief)
+
+- **Inventory** (`jamf_pro.inventory`): Periodic computer asset records from the Jamf Pro API, one document per Mac. Default sections include general device metadata (name, UDID, enrollment dates, last contact, MDM capability, site), hardware (model, serial, CPU/RAM, Apple Silicon), and operating system (version, build, FileVault status). Optional sections: user/location, disk encryption, purchasing, applications, storage, configuration profiles, security settings, local user accounts, certificates, group memberships, and more.
+- **Events** (`jamf_pro.events`): Real-time webhook notifications from Jamf Pro, including computer and mobile device lifecycle (added, enrolled, unenrolled, check-in, inventory completed), policy and patch execution (policy finished, patch policy completed, patch software title updated), smart group membership changes (computer, mobile device, user), push notifications, REST API operations, SCEP challenges, device added to DEP, JSS startup/shutdown, and mobile device commands.
+- **Host and user context**: Device identifiers (UDID, serial, MAC, management ID), IP addresses with geo enrichment, OS version/build, assigned user name/email, building/department/room, and webhook metadata (event type, timestamp, webhook name/ID).
+
+## Expected Audit Log Entities
+
+Jamf Pro webhooks are **operational lifecycle and MDM activity notifications** — audit-adjacent, not a dedicated administrative audit log with explicit actor principals. Most events describe what happened to a managed Apple endpoint or Jamf configuration object without naming the administrator, API client, or policy that triggered the change. **`jamf_pro.events`** is the only stream with actor/target/action semantics below; **`jamf_pro.inventory`** is periodic asset inventory (`event.kind: asset`) with no per-action caller or affected-object audit model. **`event.action`** is populated on **all 22** events-stream fixtures from `jamf_pro.events.webhook.webhook_event` (PascalCase Jamf webhook type names, e.g. `ComputerAdded`, `RestAPIOperation`); inventory has no `event.action`. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated; no `destination.user.*` / `destination.host.*` in the events pipeline (`destination_identity_hits.csv` has no jamf_pro row). Target-fields audit classifies jamf_pro as **`moderate_candidate`** with `fixture_strong=true` (vendor `target_device`/`target_user` in SCEP fixtures) and `pipeline_actor=false` (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+Evidence: `packages/jamf_pro/data_stream/events/sample_event.json`, all 22 `_dev/test/pipeline/*-expected.json` fixtures, `data_stream/events/elasticsearch/ingest_pipeline/default.yml`, `data_stream/events/fields/fields.yml`, `data_stream/inventory/sample_event.json`, `data_stream/inventory/elasticsearch/ingest_pipeline/default.yml`.
+
+### Event action (semantic)
+
+Jamf webhook **`webhookEvent`** is the canonical per-notification action — the pipeline copies it verbatim to ECS `event.action`. Secondary vendor fields (`rest_api_operation_type`, `event_actions.action`) add sub-operation detail on two event types but are not promoted to ECS.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `ComputerAdded`, `ComputerCheckIn`, `ComputerInventoryCompleted`, `ComputerPushCapabilityChanged` | administration / device_lifecycle | high | `event.action` in all four fixtures; e.g. `test-computer-added.json-expected.json`: `ComputerAdded` | **`jamf_pro.events`** — Mac lifecycle and inventory reporting |
+| `MobileDeviceEnrolled`, `MobileDeviceUnEnrolled`, `MobileDeviceCheckIn`, `MobileDeviceInventoryCompleted`, `MobileDeviceCommandCompleted`, `MobileDevicePushSent` | administration / device_lifecycle | high | `event.action` in all six mobile fixtures; e.g. `MobileDeviceEnrolled`, `MobileDeviceCommandCompleted` | Same stream — iOS/iPadOS lifecycle and MDM command completion |
+| `ComputerPolicyFinished`, `ComputerPatchPolicyCompleted`, `PatchSoftwareTitleUpdated` | configuration_change | high | `ComputerPolicyFinished`, `ComputerPatchPolicyCompleted`, `PatchSoftwareTitleUpdated` in fixtures | Policy/patch execution and catalog updates; sub-action in `event_actions.action` (`MCNFPQ`) on patch-completed only |
+| `SmartGroupComputerMembershipChange`, `SmartGroupMobileDeviceMembershipChange`, `SmartGroupUserMembershipChange` | configuration_change | high | All three smart-group fixtures set `event.action` to matching webhook type | Group membership delta events; no operator identity in payload |
+| `RestAPIOperation` | api_call | high | `test-rest-api-operation.json-expected.json`: `event.action: RestAPIOperation`; vendor `rest_api_operation_type: ZSE6D5` retained | Only event with explicit API operator (`authorized_username`); sub-operation type vendor-only |
+| `SCEPChallenge` | authentication | high | `test-scep-challenge.json-expected.json`: `event.action: SCEPChallenge` | Certificate enrollment challenge; explicit `target_user`/`target_device` blocks |
+| `DeviceAddedToDEP` | administration | high | `test-device-added-to-dep.json-expected.json`: `DeviceAddedToDEP` | Automated Device Enrollment record added |
+| `PushSent` | administration | high | `test-push-sent.json-expected.json`: `PushSent` | Generic push dispatch; minimal payload (`management_id`, `type`) |
+| `JSSStartup`, `JSSShutdown` | administration | high | `test-jss-startup.json-expected.json` / `test-jss-shutdown.json-expected.json` | Jamf Pro Server instance lifecycle; no managed device target |
+
+**No per-event action:** **`jamf_pro.inventory`** — periodic asset sync (`event.kind: asset`); documents describe current computer state, not a discrete MDM operation.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `jamf_pro.events.webhook.webhook_event` → `event.action` | yes (22/22 fixtures) | yes | `ComputerAdded`, `ComputerCheckIn`, `RestAPIOperation`, `SCEPChallenge`, … (full webhook enum) | no | `default.yml` L175–178 `copy_from`; `sample_event.json` L24; every `*-expected.json` |
+| `jamf_pro.events.event.rest_api_operation_type` | no | n/a | `ZSE6D5` (fixture label) | partial | `RestAPIOperation` fixture; sub-operation within REST API call — could append or secondary-map for finer granularity |
+| `jamf_pro.events.event.event_actions.action` | no | n/a | `MCNFPQ` | partial | `ComputerPatchPolicyCompleted` fixture only; patch step action, not webhook type |
+| `jamf_pro.events.event.type` | no | n/a | push type on `PushSent` | partial | `PushSent` fixture; push channel/type, not webhook event name |
+| `jamf_pro.events.event.successful` / `.operation_successful` | no | n/a | — | no | Outcome flags on policy/patch/REST events; belong in `event.outcome`, not `event.action` |
+| `event.type` / `event.category` | n/a | n/a | — | no | Not set by events pipeline; do not substitute for `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `events` | yes (22/22) | yes | `jamf_pro.events.webhook.webhook_event` | high | `default.yml` L175–178; all pipeline test fixtures |
+| `inventory` | no | no | n/a (asset sync) | n/a | `event.kind: asset` only (`inventory/default.yml` L241–243); no webhook envelope |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Assigned device user (computer, flat payload) | user | — | medium | `ComputerAdded`, `ComputerInventoryCompleted`, `ComputerPushCapabilityChanged`: `username`/`email_address` → ECS `user.name`/`user.email`; `related.user` populated | **`jamf_pro.events`** — device ownership/location context, not the party that triggered the webhook |
+| Assigned device user (computer, nested `computer`) | user | — | medium | `ComputerCheckIn`, `ComputerPolicyFinished`, `ComputerPatchPolicyCompleted`: `event.computer.username`/`email_address` → ECS `user.*` (same semantics as flat) | Same stream; overlaps semantically with the affected endpoint |
+| Assigned device user (mobile device) | user | — | medium | `MobileDeviceEnrolled`, `MobileDeviceUnEnrolled`, `MobileDeviceCheckIn`, `MobileDeviceInventoryCompleted`, `MobileDeviceCommandCompleted`, `MobileDevicePushSent`: flat `username` → ECS `user.name`; email absent in fixtures | Same stream |
+| REST API operator | user | — | medium | `RestAPIOperation` only: `authorized_username` in `jamf_pro.events.event.authorized_username`; **not** mapped to ECS `user.*` | Same stream — only explicit human operator field in the integration |
+| Reporting managed endpoint (network origin) | host | — | medium | Device IP at `host.ip`/`host.address` with GeoIP on most computer/mobile lifecycle events; nested `computer.ip_address` → `source.ip` on check-in/policy/patch events | Endpoint is telemetry source, not an authenticated actor; no `source.user.*` |
+| Jamf Pro Server instance | general | jamf-server | low | `JSSStartup`/`JSSShutdown`: `host_address`, `jss_url`, `institution`, `is_cluster_master` describe the server instance | Operational scope, not a human or API actor |
+
+Seven event types carry no username or operator field: `SmartGroupComputerMembershipChange`, `SmartGroupMobileDeviceMembershipChange`, `SmartGroupUserMembershipChange`, `DeviceAddedToDEP`, `PatchSoftwareTitleUpdated`, `PushSent`, `SCEPChallenge`. Actor identity is genuinely absent from those vendor payloads (SCEP includes `target_user`/`target_device` as targets, not actors).
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name` | Assigned device user display name | yes (14/22 fixtures) | partial | medium | `copy_from: jamf_pro.events.event.username` then `event.computer.username` (L101–109); represents device-user context, not admin actor |
+| `user.email` | Assigned device user email | yes (10/22) | partial | medium | `copy_from: jamf_pro.events.event.email_address` then `event.computer.email_address` (L111–119) |
+| `related.user` | User identity enrichment bag | yes (14/22) | partial | medium | Appends `user.name` and `user.email` (L161–169); actor-only bag — no target user IDs |
+| `host.ip` / `host.address` / `host.geo` | Reporting endpoint IP | yes (16/22) | partial | medium | `event.ip_address` → `host.ip` (L81–86); `event.computer.reported_ip_address` overrides (L88–95); geoip on `host.ip` (L155–159); endpoint context, not actor |
+| `source.ip` | Nested computer network address | partial (3/22) | yes | medium | `convert` on `event.computer.ip_address` → `source.ip` (L180–186); `ComputerCheckIn`, `ComputerPolicyFinished`, `ComputerPatchPolicyCompleted` only |
+| `jamf_pro.events.event.authorized_username` | REST API operator | no (vendor-only) | n/a | high | `RestAPIOperation` fixture; canonical human operator, not promoted to ECS |
+| `jamf_pro.events.event.computer.*` (identity fields) | Device + assigned-user vendor block | no (vendor-only, partial ECS copy) | n/a | high | Full nested computer retained; only `username`/`email_address`/`device_name`/`udid`/`reported_ip_address`/`ip_address`/`os_version` copied to ECS |
+
+No ECS `client.user.*`, `client.*`, or service-account mapping exists for API callers. Unlike IAM-style audit logs, Jamf webhooks rarely identify *who* initiated an action.
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Jamf Pro MDM platform handling the operation | Jamf Pro | service | — | medium | No `cloud.service.name` or `cloud.provider` in pipeline; platform inferred from integration context and `event.action` (e.g. `ComputerPolicyFinished`, `RestAPIOperation`) | On-prem or hosted Jamf Pro Server — not cloud-provider scoped |
+| 2 — Resource / object | Managed Apple endpoint acted upon | Mac or mobile device | host | — | high | Nested `event.computer.*` or flat device fields (`device_name`, `udid`, `serial_number`, `management_id`, `imei`); ECS `host.name`/`host.id` only when nested `computer` block present | Primary target across lifecycle, policy, and patch events |
+| 2 — Resource / object | Jamf configuration or catalog object | Smart group, policy, patch title, REST API entity, DEP record | general | smart-group, policy, patch-policy, software-title, api-object, dep-device | high | Vendor-only fields: `name`/`jssid`/`smart_group`, `policy_id`, `patch_policy_id`/`patch_policy_name`, `object_id`/`object_type_name`, DEP serial/model fields | No ECS `*.target.*` mapping |
+| 2 — Resource / object | SCEP enrollment subject | Device + user | host / user | — | high | `SCEPChallenge`: explicit `target_device` (UDID, serial, model, OS) and `target_user` (username, email, uid, uuid, dn) | Only fixture with Jamf-native `target_*` blocks |
+| 2 — Resource / object | Assigned user on device events | End-user account tied to hardware | user | — | medium | Same `username`/`email_address` promoted to ECS `user.*` on device lifecycle events | Functionally device-user context overlapping Layer 2 host target |
+| 3 — Content / artifact | Policy/patch execution outcome | success flag, deployed version, action | general | policy-outcome, patch-deployment | high | `ComputerPolicyFinished`: `policy_id`, `successful`; `ComputerPatchPolicyCompleted`: `deployed_version`, `event_actions.action`, `successful` | Describes operation result on Layer 2 object |
+| 3 — Content / artifact | Push notification dispatch | push type, management ID | general | push | medium | `PushSent`: `management_id`, `type` only; `MobileDevicePushSent`: full mobile device block as target | Minimal payload on generic push event |
+| 3 — Content / artifact | Webhook delivery metadata | webhook name, ID, timestamp | general | webhook-envelope | high | `jamf_pro.events.webhook.{webhook_event,id,name,event_timestamp}` on every event | Scopes the notification, not a durable entity |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `host.name` / `host.id` | 2 | host | partial (3/22) | yes | `host.target.name` / `host.target.id` | yes | `copy_from: event.computer.device_name` / `event.computer.udid` (L140–148); nested-computer events only — flat Mac and all mobile payloads skip these |
+| `host.ip` / `host.geo` / `host.address` | 2 | host | yes (16/22) | partial | `host.target.ip` | yes | `event.ip_address` or `event.computer.reported_ip_address` → `host.ip` + geoip; populated for flat and nested payloads but semantically the affected endpoint |
+| `jamf_pro.events.event.device_name` / `.udid` / `.serial_number` | 2 | host | no | n/a | `host.target.name` / `host.target.id` | yes | Flat computer/mobile payloads retain vendor identity; not copied to ECS `host.name`/`host.id` |
+| `jamf_pro.events.event.computer.*` | 2 | host | partial | partial | `host.target.*` | yes | Full nested computer block retained; serial, MAC, model, management_id vendor-only |
+| `user.name` / `user.email` | 2 | user | yes (14/22) | partial | `user.target.name` / `user.target.email` | yes | Assigned device user copied to actor ECS fields; on device events this is also the de-facto affected user |
+| `jamf_pro.events.event.target_device.*` | 2 | host | no | n/a | `host.target.*` | yes | `SCEPChallenge` fixture; explicit vendor target block (`udid`, `serial_number`, `device_name`, `model`, OS) |
+| `jamf_pro.events.event.target_user.*` | 2 | user | no | n/a | `user.target.*` | yes | `SCEPChallenge` fixture; explicit vendor target block (`username`, `email`, `uid`, `uuid`, `dn`) |
+| `jamf_pro.events.event.{name,jssid,smart_group}` | 2 | general | no | n/a | `entity.target.*` | yes | Smart group membership change fixtures; group identity and membership deltas |
+| `jamf_pro.events.event.policy_id` | 2 | general | no | n/a | `entity.target.id` | yes | `ComputerPolicyFinished`; policy object acted upon |
+| `jamf_pro.events.event.{patch_policy_id,patch_policy_name,software_title_id}` | 2 | general | no | n/a | `entity.target.*` | yes | `ComputerPatchPolicyCompleted`, `PatchSoftwareTitleUpdated` |
+| `jamf_pro.events.event.{object_id,object_name,object_type_name,rest_api_operation_type}` | 2 | general | no | n/a | `entity.target.*` | yes | `RestAPIOperation`; REST API resource target |
+| `jamf_pro.events.event.{serial_number,model,asset_tag,description}` | 2 | general | no | n/a | `entity.target.*` | yes | `DeviceAddedToDEP`; DEP enrollment record |
+| `jamf_pro.events.event.{successful,deployed_version,event_actions.action}` | 3 | general | no | n/a | context-only | no | Policy/patch outcome metadata |
+| `event.action` | 1 | service | yes | yes (action context) | context-only | no | Webhook event type copied verbatim from `webhook.webhook_event` (PascalCase, e.g. `ComputerAdded`) |
+| `jamf_pro.events.event.{jss_url,host_address,institution,is_cluster_master}` | 2 | general | no | n/a | `entity.target.*` (server instance) | yes | `JSSStartup`/`JSSShutdown`; Jamf server as operational target |
+
+No `destination.user.*` or `destination.host.*` de-facto targets — unlike email/auth integrations, Jamf does not use destination fields for acted-upon entities.
+
+### Gaps and mapping notes
+
+- **No ECS `*.target.*` today** — all affected entities stay vendor-side under `jamf_pro.events.event.*` or partially in `host.*`/`user.*`. Enhancement: map nested `computer.udid`/`device_name` and flat `udid`/`device_name` to `host.target.*`; map assigned user fields to `user.target.*` (separate from actor); map SCEP `target_device`/`target_user` to official target buckets.
+- **`user.*` conflates actor and target on device events** — pipeline promotes assigned device user to ECS `user.*` (actor field set) when semantically the user is often the affected party (`Mapping correct?`: partial). Only `RestAPIOperation.authorized_username` is a true operator, and it stays vendor-only.
+- **`host.name`/`host.id` mapping gap for flat payloads** — pipeline copies only from `event.computer.*` (L140–148); flat Mac events (`ComputerAdded`, etc.) and all mobile events retain `device_name`/`udid` vendor-side without ECS `host.name`/`host.id`.
+- **Vendor `target_*` blocks unmapped** — `SCEPChallenge` is the only fixture with explicit Jamf-native `target_user` and `target_device`; flagged in `vendor_target_special_cases.csv` as `likely_user_target_or_entity` / `likely_host_target_or_entity`.
+- **No `destination.user.*` / `destination.host.*`** — pipeline has no destination-identity processors; target-fields audit `pipeline_dest_identity=false`.
+- **`related.user` is actor/context-only** — appends assigned user name/email; smart group `group_added_user_ids`/`group_removed_user_ids` and device membership deltas are not in `related.*`.
+- **Actor absent on 7/22 event types** — smart group, DEP, patch catalog, push, JSS, and SCEP events carry targets or scope only; no administrator or API client identity in vendor payload.
+- **Target-fields audit alignment** — `moderate_candidate` with `fixture_strong=true` (SCEP vendor targets) and `pipeline_actor=false` despite `user.*` population; reflects that assigned device user is not a security principal actor.
+- **`event.action` well covered on events stream** — all 22 webhook fixtures populate `event.action` from `webhook.webhook_event` (`default.yml` L175–178); mapping is semantically correct. Optional enhancement: normalize PascalCase to lowercase/snake_case for ECS convention, or map secondary sub-actions (`rest_api_operation_type`, `event_actions.action`) when finer granularity is needed.
+- **No `event.action` on inventory** — correct for asset sync; `event.kind: asset` only.
+
+### Per-stream notes
+
+#### `jamf_pro.events`
+
+Real-time webhook notifications received via HTTP endpoint listener. 22 pipeline test fixtures covering computer/mobile lifecycle, policy/patch execution, smart group membership, REST API operations, SCEP, DEP, push, and JSS startup/shutdown. **`event.action`** is set on every fixture from `jamf_pro.events.webhook.webhook_event` (PascalCase Jamf webhook enum). Dual payload shapes: flat device fields at event root vs nested `event.computer` object — ECS mapping differs (`host.name`/`host.id` and `source.ip` only for nested computer). Webhook metadata (`jamf_pro.events.webhook.*`) scopes every event. Targets are predominantly managed Apple endpoints; configuration objects (smart groups, policies, patch titles, REST API entities) remain vendor-namespaced.
+
+#### `jamf_pro.inventory`
+
+Periodic computer asset records polled from `/v1/computers-inventory` API (`event.kind: asset`). Maps inventory subject to `host.*`, `user.*` (from `user_and_location`), and `os.*` — these describe the **asset record**, not audit actor/target semantics for a specific action. Actor/target classification for audit purposes does not apply; use inventory fields for fleet compliance and asset correlation instead.
+
+## Example Event Graph
+
+Examples below come from **`jamf_pro.events`** webhook fixtures — operational MDM lifecycle notifications that are audit-adjacent but rarely name the administrator or API client that triggered the change. The **`jamf_pro.inventory`** stream is periodic asset sync (`event.kind: asset`) with no per-event actor/action/target chain; no graph examples are shown for inventory.
+
+### Example 1: REST API operation
+
+**Stream:** `jamf_pro.events` · **Fixture:** `packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-rest-api-operation.json-expected.json`
+
+```
+REST API operator (John Doe) → RestAPIOperation → Jamf API object (QOLQ7)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | John Doe |
+| type | user |
+
+**Field sources:**
+- `name ← jamf_pro.events.event.authorized_username` (vendor-only; not promoted to ECS `user.*`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | RestAPIOperation |
+| source_field | `event.action` |
+| source_value | `RestAPIOperation` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 380 |
+| name | QOLQ7 |
+| type | general |
+| sub_type | api-object |
+
+**Field sources:**
+- `id ← jamf_pro.events.event.object_id`
+- `name ← jamf_pro.events.event.object_name`
+- `sub_type ← jamf_pro.events.event.object_type_name` (value `I1YH0`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: John Doe"] --> E["RestAPIOperation"]
+  E --> T["Target: QOLQ7 (api-object)"]
+```
+
+### Example 2: Policy finished on managed Mac
+
+**Stream:** `jamf_pro.events` · **Fixture:** `packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-computer-policy-finished.json-expected.json`
+
+No administrator or API operator is indexed — the assigned device user is scope metadata on the Mac, not the actor who executed the policy.
+
+```
+Jamf Pro (service) → ComputerPolicyFinished → Mac GBTN2
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | Jamf Pro |
+| type | service |
+
+**Field sources:**
+- `name` ← semantic — MDM policy engine that ran the policy; **not indexed** as an actor principal in fixture (no `authorized_username` or API caller)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ComputerPolicyFinished |
+| source_field | `event.action` |
+| source_value | `ComputerPolicyFinished` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 5836625775 |
+| name | GBTN2 |
+| type | host |
+| ip | 89.160.20.156 |
+| geo | Linköping, Sweden |
+
+**Field sources:**
+- `id ← host.id` ← `jamf_pro.events.event.computer.udid`
+- `name ← host.name` ← `jamf_pro.events.event.computer.device_name`
+- `ip ← host.ip` ← `jamf_pro.events.event.computer.reported_ip_address`
+- `geo ← host.geo.city_name, host.geo.country_name`
+
+**Scope context (not target):** assigned user John Doe (`user.name`, `jamf_pro.events.event.computer.username`); policy `217` (`jamf_pro.events.event.policy_id`).
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Jamf Pro"] --> E["ComputerPolicyFinished"]
+  E --> T["Target: GBTN2"]
+```
+
+### Example 3: Computer added to Jamf
+
+**Stream:** `jamf_pro.events` · **Fixture:** `packages/jamf_pro/data_stream/events/sample_event.json`
+
+Enrollment webhooks name the device being added, not the administrator or enrollment agent that performed the add. Using the assigned user as actor would read “user adds themselves to inventory.”
+
+```
+Jamf Pro (service) → ComputerAdded → Mac VPNYC
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | Jamf Pro |
+| type | service |
+
+**Field sources:**
+- `name` ← semantic — MDM enrollment/inventory service; **not indexed** as an actor principal in fixture (flat payload has no `authorized_username`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ComputerAdded |
+| source_field | `event.action` |
+| source_value | `ComputerAdded` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 7265694772 |
+| name | VPNYC |
+| type | host |
+| ip | 89.160.20.156 |
+| geo | Linköping, Sweden |
+
+**Field sources:**
+- `id ← jamf_pro.events.event.udid` (vendor-only; flat payload — `host.id` not populated)
+- `name ← jamf_pro.events.event.device_name` (vendor-only; flat payload — `host.name` not populated)
+- `ip ← host.ip` ← `jamf_pro.events.event.ip_address`
+- `geo ← host.geo.city_name, host.geo.country_name`
+
+**Scope context (not target):** assigned user John Doe (`user.name`, `jamf_pro.events.event.username`).
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Jamf Pro"] --> E["ComputerAdded"]
+  E --> T["Target: VPNYC"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, `data_stream/events` and `data_stream/inventory` with Tier A fixtures). Router: **`data_stream.dataset`** (`jamf_pro.events`, `jamf_pro.inventory` per `sample_event.json`). Secondary discriminator: **`event.action`** (PascalCase `webhook_event` copied to `event.action` on all 22 events fixtures). Pass 4 is **fill-gaps-only**: detection flags run first; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` with valid **3-arg** / **5-arg** / **7-arg** / **9-arg** / **13-arg** forms — never **4-arg** `CASE(actor_exists, col, bare_field, null)` or `CASE(col IS NOT NULL, col, bare_field, null)` (bare field parses as a **condition**, not a value). Do not use `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` on mapped columns (Pass 4 §10). Ingest promotes assigned device users to `user.name` / `user.email` (scope metadata, not operators) — **ingest-only — no ES|QL** on those columns; **`user.name` preserve is gated to `RestAPIOperation` only** so ingest assigned-user `user.name` is not treated as operator identity. **`actor_exists` excludes ingest `user.*`** except `RestAPIOperation` with promoted `user.name`. **`service.name`** `"Jamf Pro"` literal when operator absent (Pass 3). **`event.action`** ingest-only (all 22 fixtures). **`jamf_pro.inventory`** excluded (asset sync). **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` identity fallbacks.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `jamf_pro.events` | MDM webhooks | user, service | host, user, general | full |
+| `jamf_pro.inventory` | asset inventory | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.name` | `jamf_pro.events.event.authorized_username` | `data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation"` | high | **column-level preserve** (`user.name IS NOT NULL AND event.action == "RestAPIOperation"`); **vendor fallback** — only explicit operator; device-event ingest `user.name` is **not** preserved (assigned user scope) |
+| `service.name` | `"Jamf Pro"` | `data_stream.dataset == "jamf_pro.events" AND event.action != "RestAPIOperation"` | medium | **column-level preserve** (`service.name IS NOT NULL`); **semantic literal** — MDM engine when operator absent (Pass 3) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.id` | `host.id` | `data_stream.dataset == "jamf_pro.events" AND host.id IS NOT NULL` | high | **column-level preserve** (`host.target.id IS NOT NULL`); **vendor fallback** — nested `event.computer` (3/22 fixtures) |
+| `host.target.id` | `jamf_pro.events.event.udid` | `data_stream.dataset == "jamf_pro.events" AND host.id IS NULL AND jamf_pro.events.event.udid IS NOT NULL` | high | **column-level preserve**; **vendor fallback** — flat/mobile payloads |
+| `host.target.id` | `jamf_pro.events.event.target_device.udid` | `data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge"` | high | **column-level preserve**; **vendor fallback** — explicit `target_device` block |
+| `host.target.name` | `host.name` | `data_stream.dataset == "jamf_pro.events" AND host.name IS NOT NULL` | high | **column-level preserve** (`host.target.name IS NOT NULL`); **vendor fallback** — nested computer |
+| `host.target.name` | `jamf_pro.events.event.device_name` | `data_stream.dataset == "jamf_pro.events" AND host.name IS NULL AND jamf_pro.events.event.device_name IS NOT NULL` | high | **column-level preserve**; **vendor fallback** — flat/mobile |
+| `host.target.name` | `jamf_pro.events.event.target_device.device_name` | `data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge"` | high | **column-level preserve**; **vendor fallback** — SCEP fixture |
+| `host.target.ip` | `host.ip` | `data_stream.dataset == "jamf_pro.events" AND host.ip IS NOT NULL` | high | **column-level preserve** (`host.target.ip IS NOT NULL`); **de-facto** — affected endpoint IP at ingest (`host.ip` → `host.target.ip`) |
+| `user.target.name` | `jamf_pro.events.event.target_user.username` | `data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge"` | high | **column-level preserve** (`user.target.name IS NOT NULL`); **vendor fallback** — not ingest `user.*` (SCEP has no assigned user) |
+| `user.target.email` | `jamf_pro.events.event.target_user.email` | `data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge"` | high | **column-level preserve** (`user.target.email IS NOT NULL`); **vendor fallback** |
+| `entity.target.id` | `jamf_pro.events.event.object_id` | `data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation"` | high | **column-level preserve** (`entity.target.id IS NOT NULL`); **vendor fallback** |
+| `entity.target.id` | `jamf_pro.events.event.policy_id` | `data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPolicyFinished"` | high | **column-level preserve**; **vendor fallback** |
+| `entity.target.id` | `jamf_pro.events.event.jssid` | `data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange")` | high | **column-level preserve**; **vendor fallback** — smart group ID |
+| `entity.target.id` | `jamf_pro.events.event.serial_number` | `data_stream.dataset == "jamf_pro.events" AND event.action == "DeviceAddedToDEP"` | high | **column-level preserve**; **vendor fallback** |
+| `entity.target.id` | `jamf_pro.events.event.patch_policy_id` | `data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPatchPolicyCompleted"` | high | **column-level preserve**; **vendor fallback** |
+| `entity.target.name` | `jamf_pro.events.event.object_name` | `data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation"` | high | **column-level preserve** (`entity.target.name IS NOT NULL`); **vendor fallback** |
+| `entity.target.name` | `jamf_pro.events.event.name` | `data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange")` | high | **column-level preserve**; **vendor fallback** |
+| `entity.target.name` | `jamf_pro.events.event.jss_url` | `data_stream.dataset == "jamf_pro.events" AND event.action IN ("JSSStartup", "JSSShutdown")` | medium | **column-level preserve**; **vendor fallback** — server instance target |
+| `entity.target.sub_type` | `jamf_pro.events.event.object_type_name` | `data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation"` | high | **column-level preserve** (`entity.target.sub_type IS NOT NULL`); **vendor fallback** — API object type label |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` **omits ingest `user.name` / `user.email`** on device lifecycle events — those fields hold assigned device user scope, not operators (`Pass 2` partial mapping). Only `RestAPIOperation` may count `user.name` if promoted later. **`host.ip` / `host.name` / `host.id` are excluded** from `actor_exists` (reporting endpoint context, not authenticated principals). **Actor/target `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`, with `event.action` guard on `user.name`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so `target_exists` from one `*.target.*` column does not block `host.target.name` fallbacks when only `host.id` is populated (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Use **5-arg** `CASE(user.name IS NOT NULL AND event.action == "RestAPIOperation", user.name, data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.authorized_username, null)` — not **4-arg** `CASE(actor_exists, user.name, jamf_pro.events.event.authorized_username, null)` (`authorized_username` is a **condition**) or `CASE(user.name IS NOT NULL, user.name, jamf_pro.events.event.authorized_username, null)` (bare vendor field as 3rd arg is a **condition**).
+
+```esql
+| EVAL
+  actor_exists = (user.name IS NOT NULL AND event.action == "RestAPIOperation")
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+Omitted from actor `EVAL` (ingest-only — no alternate query-time source): device-event `user.name`, `user.email` (assigned user scope; Pass 2 partial).
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL AND event.action == "RestAPIOperation", user.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.authorized_username,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action != "RestAPIOperation", "Jamf Pro",
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+Omitted — `event.action` is populated on all 22 events-stream fixtures via ingest `copy_from: jamf_pro.events.webhook.webhook_event` (`default.yml` L175–178). No query-time fallback when `action_exists` is true.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "jamf_pro.events" AND host.id IS NOT NULL, host.id,
+    data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.udid IS NOT NULL, jamf_pro.events.event.udid,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_device.udid,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "jamf_pro.events" AND host.name IS NOT NULL, host.name,
+    data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.device_name IS NOT NULL, jamf_pro.events.event.device_name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_device.device_name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "jamf_pro.events" AND host.ip IS NOT NULL, host.ip,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_user.username,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_user.email,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_id,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPolicyFinished", jamf_pro.events.event.policy_id,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"), jamf_pro.events.event.jssid,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "DeviceAddedToDEP", jamf_pro.events.event.serial_number,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPatchPolicyCompleted", jamf_pro.events.event.patch_policy_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_name,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"), jamf_pro.events.event.name,
+    data_stream.dataset == "jamf_pro.events" AND event.action IN ("JSSStartup", "JSSShutdown"), jamf_pro.events.event.jss_url,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_type_name,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = (user.name IS NOT NULL AND event.action == "RestAPIOperation")
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(user.name IS NOT NULL AND event.action == "RestAPIOperation", user.name, data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.authorized_username, null),
+  service.name = CASE(service.name IS NOT NULL, service.name, data_stream.dataset == "jamf_pro.events" AND event.action != "RestAPIOperation", "Jamf Pro", null),
+  host.target.id = CASE(host.target.id IS NOT NULL, host.target.id, data_stream.dataset == "jamf_pro.events" AND host.id IS NOT NULL, host.id, data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.udid IS NOT NULL, jamf_pro.events.event.udid, data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_device.udid, null),
+  host.target.name = CASE(host.target.name IS NOT NULL, host.target.name, data_stream.dataset == "jamf_pro.events" AND host.name IS NOT NULL, host.name, data_stream.dataset == "jamf_pro.events" AND jamf_pro.events.event.device_name IS NOT NULL, jamf_pro.events.event.device_name, data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_device.device_name, null),
+  host.target.ip = CASE(host.target.ip IS NOT NULL, host.target.ip, data_stream.dataset == "jamf_pro.events" AND host.ip IS NOT NULL, host.ip, null),
+  user.target.name = CASE(user.target.name IS NOT NULL, user.target.name, data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_user.username, null),
+  user.target.email = CASE(user.target.email IS NOT NULL, user.target.email, data_stream.dataset == "jamf_pro.events" AND event.action == "SCEPChallenge", jamf_pro.events.event.target_user.email, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_id, data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPolicyFinished", jamf_pro.events.event.policy_id, data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"), jamf_pro.events.event.jssid, data_stream.dataset == "jamf_pro.events" AND event.action == "DeviceAddedToDEP", jamf_pro.events.event.serial_number, data_stream.dataset == "jamf_pro.events" AND event.action == "ComputerPatchPolicyCompleted", jamf_pro.events.event.patch_policy_id, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_name, data_stream.dataset == "jamf_pro.events" AND event.action IN ("SmartGroupComputerMembershipChange", "SmartGroupMobileDeviceMembershipChange", "SmartGroupUserMembershipChange"), jamf_pro.events.event.name, data_stream.dataset == "jamf_pro.events" AND event.action IN ("JSSStartup", "JSSShutdown"), jamf_pro.events.event.jss_url, null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "jamf_pro.events" AND event.action == "RestAPIOperation", jamf_pro.events.event.object_type_name, null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.name, service.name, host.target.name, host.target.id, host.target.ip, user.target.name, entity.target.id, entity.target.name
+```
+
+### Streams excluded
+
+- **`jamf_pro.inventory`** — periodic computer asset records (`event.kind: asset`); describes fleet state, not a discrete MDM operation with actor/target/action.
+
+### Gaps and limitations
+
+- **Pass 4 CASE syntax** — all `CASE` use odd-arity defaults (`null`); column-level **5-arg** / **7-arg** / **9-arg** / **13-arg** preserve (`<col> IS NOT NULL`, not `CASE(actor_exists|target_exists, <col>, …)`); `user.name` preserve gated with `event.action == "RestAPIOperation"` so ingest assigned-user `user.name` is not a no-op preserve; full pipeline fragment aligned with combined `EVAL` blocks.
+- **Pass 4 tautology cleanup** — no `CASE(col, col, …)` identity fallbacks; device-event `user.email` omitted from actor `EVAL`; `event.action` ingest-only.
+- **Ingest `user.*` on device events** — assigned device user remains in `user.*` at ingest (Pass 2 partial); Pass 4 does not promote it to `user.target.*` on lifecycle events (Pass 3: scope context, not target).
+- **`PushSent` / `PatchSoftwareTitleUpdated`** — minimal vendor payloads; no host identity fields in fixtures — host target columns omitted when fields absent.
+- **`user.id` / `user.domain`** — not indexed; `target_user.uuid` vendor-only on SCEP.
+- **`service.target.*`** — platform (Jamf Pro) modeled as **service actor** literal, not service target.
+- **7/22 event types** — no operator in vendor payload; rely on `service.name` `"Jamf Pro"` actor literal.
+- **Pass 2 alignment** — ingest-time `host.target.*` / `user.target.*` from nested `computer.*`, flat `udid`/`device_name`, and SCEP `target_*` blocks remain the preferred long-term fix; Pass 4 fills gaps without overwriting populated values.
diff --git a/dev/domain/p1/linux.md b/dev/domain/p1/linux.md
new file mode 100644
index 00000000000..7d1dbd86d1b
--- /dev/null
+++ b/dev/domain/p1/linux.md
@@ -0,0 +1,266 @@
+# linux
+
+## Product Domain
+
+Linux host observability covers the health, performance, and security posture of servers running the Linux kernel. Operators need visibility into resource utilization, kernel subsystems, running services, network activity, and interactive user sessions to keep infrastructure reliable and to detect anomalies. This domain spans system logs (syslog, journald, audit), time-series metrics from `/proc` and other kernel interfaces, and security-relevant signals such as login sessions, open sockets, and connection-tracking state.
+
+The Elastic **Linux Metrics** integration targets the metrics slice of that domain. It runs on Elastic Agent and collects low-level, Linux-specific measurements directly from the local host—primarily via `/proc`, systemd/logind, and netfilter conntrack interfaces. Unlike cross-platform system integrations, it emphasizes kernel- and distro-specific counters that matter on Linux: memory fragmentation, KSM deduplication, RAID array health, per-disk I/O, entropy pool availability, and protocol-level network summaries.
+
+Collection is agent-based and always scoped to the machine where the agent runs; no remote `hosts` configuration is required. In containerized deployments, the host's proc filesystem can be exposed through the `system.hostfs` setting (for example `/hostfs`). Data is indexed as ECS-aligned metrics and visualized in Kibana dashboards such as the Host Services Overview, supporting alerting and troubleshooting for Linux infrastructure teams.
+
+While broader Linux observability also includes log and endpoint-security pipelines (handled by separate integrations such as System, Auditd, or Elastic Defend), this package complements those sources with granular host metrics that expose kernel and service state not always visible in log lines alone.
+
+## Data Collected (brief)
+
+Metrics only (no logs or security events). Eleven data streams:
+
+| Data stream | Description |
+|---|---|
+| **conntrack** | Netfilter connection-tracking performance counters |
+| **entropy** | Available cryptographic entropy (bits and pool percentage) |
+| **iostat** | Per-disk I/O statistics (equivalent to `iostat -x`) |
+| **ksm** | Kernel Samepage Merging statistics |
+| **memory** | Linux-specific memory metrics (Huge Pages, paging) |
+| **network_summary** | Global network I/O counters by protocol (TCP, UDP, ICMP, IP) |
+| **pageinfo** | Memory paging and fragmentation stats from `/proc/pagetypeinfo` and buddyinfo |
+| **raid** | Software RAID device status, disk counts, sync progress |
+| **service** | systemd unit state, resource usage (CPU, memory, network), and uptime |
+| **socket** | New TCP socket events with local/remote endpoints and owning process |
+| **users** | Logged-in users and sessions via systemd logind/dbus |
+
+All streams include standard ECS host, cloud, and container metadata where applicable.
+
+## Expected Audit Log Entities
+
+The **Linux Metrics** integration collects **metrics only** (`type: metrics` on all eleven data streams per `data_stream/*/manifest.yml`; no log inputs, ingest pipelines, `sample_event.json`, or `*-expected.json` fixtures under `packages/linux/`). It does not emit audit logs, authentication events, or administrative action records. All streams are periodic host telemetry or state snapshots—not discrete auditable actions. Actor/target semantics below describe **security-adjacent identity and endpoint signals** useful for correlation, not principals or objects from an audit trail. For true Linux audit telemetry, use separate integrations (System auth logs, Auditd, Sysmon for Linux, Elastic Defend). No ECS `*.target.*` fields are declared or populated (`out/target_fields_audit.csv` has no `linux` row). The target-fields audit classified this package as **`none`** for actor/target enhancement (`out/target_enhancement_packages.csv`). `linux` does not appear in `out/destination_identity_hits.csv` (no `destination.user.*` / `destination.host.*` usage).
+
+**`event.action` is absent across all streams.** No ECS `event.action` declaration in any `fields/ecs.yml` or `fields/base-fields.yml`; grep of `packages/linux/` finds no pipeline or fixture mapping. Declared event fields are limited to `event.module`, `event.dataset`, and `event.duration` (`data_stream/*/fields/base-fields.yml`, `ecs.yml`). Metrics streams have **no per-event verb** — state gauges and counters describe *what is*, not *what happened*.
+
+### Event action (semantic)
+
+No stream records a discrete security or administrative action. All eleven data streams are `type: metrics` with `event.kind: metric` semantics (implicit via data stream type; not declared as ECS `event.kind` in field schemas).
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| *(none — metrics-only)* | n/a | high | No `event.action` in package; no log inputs or audit API | **All 11 streams** — periodic polls or gauge snapshots, not action events |
+| Implicit TCP socket observation | detection | low | `docs/README.md` Socket: "reports an event for each new TCP socket" via `/proc` polling | **`linux.socket`** — discovery of new sockets, not a named operation; no vendor action field |
+| Session state snapshot | n/a | high | `system.users.state`, `system.users.type` (`users/fields/fields.yml`) | **`linux.users`** — current logind session metadata, not login/logout events |
+| Service state snapshot | n/a | high | `system.service.state`, `system.service.sub_state`, `system.service.load_state` (`service/fields/fields.yml`) | **`linux.service`** — systemd unit state gauge, not start/stop/restart actions |
+| RAID sync status | n/a | high | `system.raid.sync_action` (`raid/fields/fields.yml`) | **`linux.raid`** — current sync operation label on array (e.g. `resync`), not a discrete audit event |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | no | Not declared in any `ecs.yml`; no ingest pipeline |
+| `event.module` | no | n/a | `linux` (constant) | no | `base-fields.yml` — module identifier, not an operation verb |
+| `event.dataset` | no | n/a | e.g. `linux.socket` (constant per stream) | no | `base-fields.yml` — stream identifier, not an operation verb |
+| `system.raid.sync_action` | no | n/a | — (no fixtures) | no | `raid/fields/fields.yml` — RAID array sync-state dimension, not an auditable action |
+| `system.service.state` / `.sub_state` / `.load_state` | no | n/a | — (no fixtures) | no | `service/fields/fields.yml` — unit state gauges, not lifecycle events |
+| `system.users.state` / `.type` | no | n/a | — (no fixtures) | no | `users/fields/fields.yml` — session metadata, not auth actions |
+| *(inferred)* `tcp-socket-opened` | no | n/a | — | no | **`linux.socket`** — README describes new-socket detection but agent emits no action label; mapping would be speculative |
+
+No enhancement to `event.action` is recommended for this package. Metrics-only design; action semantics belong in log-based integrations (System auth, Auditd, Sysmon for Linux, Elastic Defend).
+
+#### Per-stream `event.action` check
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| conntrack | no (no fixtures) | no (no pipeline) | — | high | Kernel counter gauges only |
+| entropy | no | no | — | high | Entropy pool gauge |
+| iostat | no | no | — | high | Per-disk I/O metrics |
+| ksm | no | no | — | high | KSM page-sharing counters |
+| memory | no | no | — | high | Memory/paging gauges |
+| network_summary | no | no | — | high | Protocol-level network counters |
+| pageinfo | no | no | — | high | Buddy/page-type gauges |
+| raid | no | no | `system.raid.sync_action` (state label, not action) | high | `raid/fields/fields.yml` |
+| service | no | no | `system.service.state` (state gauge, not action) | high | `service/fields/fields.yml` |
+| socket | no | no | — (implicit socket discovery only) | high | `docs/README.md`; no action field in schema |
+| users | no | no | `system.users.state` (session state, not action) | high | `users/fields/fields.yml` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Monitored host | host | — | high | `host.*`, `agent.*`, `cloud.*`, `container.*` on all streams (`data_stream/*/fields/agent.yml`, `base-fields.yml`) | **All 11 streams** — collection scope where the agent runs; not an audit principal |
+| Interactive logind session | user | — | low | `system.users.id`, `system.users.type`, `system.users.state`, `system.users.remote`, `system.users.leader` (`users/fields/fields.yml`; `docs/README.md` Users) | **`linux.users`** — logind session snapshot; **no** ECS `user.name`/`user.id` on this stream |
+| Remote session origin | host | — | low | `source.ip`, `source.port` (`users/fields/ecs.yml`); `system.users.remote_host` (`users/fields/fields.yml`) | **`linux.users`** — client endpoint when `system.users.remote=true`; username not in schema |
+| Socket-owning user | user | — | moderate | `user.id`, `user.full_name` (`socket/fields/ecs.yml`; `docs/README.md` Socket) | **`linux.socket`** — UID/username of process owning a new TCP socket when resolvable from `/proc` |
+| Socket-owning process | general | process | high | `process.pid`, `process.name`, `process.executable`, `system.socket.process.cmdline` (`socket/fields/ecs.yml`, `fields.yml`) | **`linux.socket`** — strongest actor surrogate; one doc per newly detected TCP socket |
+| systemd unit (workload) | service | systemd unit | high | `system.service.name`, `systemd.unit`, `systemd.fragment_path` (`service/fields/fields.yml`) | **`linux.service`** — monitored daemon; not a human actor |
+| Service main process | general | process | moderate | `process.pid`, `process.name`, `process.ppgid`, `process.working_directory` (`service/fields/ecs.yml`) | **`linux.service`** — unit main process when agent resolves it |
+
+**No actor identity:** `conntrack`, `entropy`, `iostat`, `ksm`, `memory`, `network_summary`, `pageinfo`, `raid` — kernel, disk, and aggregate network counters only; `host.*` metadata is collection context, not a security principal.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `host.name`, `host.hostname`, `host.id`, `host.ip` | Collection host identity | unknown (no fixtures) | n/a | high | Declared on `service/fields/ecs.yml`; `agent.yml` / `base-fields.yml` on all streams |
+| `agent.id`, `agent.name` | Elastic Agent collector | unknown (no fixtures) | n/a | high | `data_stream/*/fields/agent.yml` |
+| `cloud.*`, `container.*` | Deployment scope | unknown (no fixtures) | n/a | moderate | `agent.yml` on all streams |
+| `user.id`, `user.full_name` | Socket owner UID/name | unknown (no fixtures) | partial | moderate | `socket/fields/ecs.yml` — process owner, not proven login principal; no ingest pipeline to verify |
+| `process.pid`, `process.name`, `process.executable` | Socket-owning process | unknown (no fixtures) | yes | high | `socket/fields/ecs.yml` |
+| `system.socket.process.cmdline` | Socket process command line | unknown (no fixtures) | n/a | high | `socket/fields/fields.yml` — vendor-only |
+| `user.name` | Service unit owner | unknown (no fixtures) | partial | moderate | `service/fields/ecs.yml` — may reflect systemd unit user, not interactive actor |
+| `process.*` (service stream) | Service main process | unknown (no fixtures) | yes | moderate | `service/fields/ecs.yml` |
+| `system.users.id`, `system.users.type`, `system.users.state`, `system.users.leader` | Logind session metadata | unknown (no fixtures) | n/a | high | `users/fields/fields.yml` — vendor-only; session ID, not ECS user |
+| `system.users.remote_host` | Remote client hostname/IP string | unknown (no fixtures) | n/a | moderate | `users/fields/fields.yml` — vendor-only |
+| `source.ip`, `source.port` | Remote session client endpoint | unknown (no fixtures) | partial | low | `users/fields/ecs.yml` — network peer of remote session, not audit actor |
+| `service.type` | Metric module label | unknown (no fixtures) | n/a | high | `ecs.yml` on streams — collector module type, not workload identity |
+
+No ingest pipelines exist; ECS fields are populated by Elastic Agent at collection time. **Mapped today?** cannot be fixture-verified.
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 2 — Resource / object | Monitored host (measurement subject) | Local Linux server | host | — | high | `host.name` on all streams | **Most streams** — measured object, not an audit target of an action |
+| 2 — Resource / object | Remote TCP peer | Remote host / endpoint | host | — | moderate | `system.socket.remote.ip`, `system.socket.remote.port`, optional `system.socket.remote.host` | **`linux.socket`** — far-end of newly observed connection; network context, not authorization target |
+| 3 — Content / artifact | Remote DNS enrichment | Resolved hostname / eTLD+1 | general | dns-name | low | `system.socket.remote.host`, `system.socket.remote.etld_plus_one` (`socket/fields/fields.yml`; reverse lookup off by default in `socket/manifest.yml`) | **`linux.socket`** — optional PTR enrichment |
+| 2 — Resource / object | Remote login source | Client of remote session | host | — | low | `system.users.remote_host`, `source.ip` | **`linux.users`** — when `system.users.remote=true`; session client, not acted-upon resource |
+| 2 — Resource / object | systemd service | Monitored unit | service | systemd unit | high | `system.service.name`, `system.service.state`, `system.service.sub_state`, `systemd.unit` | **`linux.service`** — health/resource measurement target |
+| 2 — Resource / object | Block device | Disk / partition | general | disk | moderate | `linux.iostat.name` (dimension) + I/O gauges (`iostat/fields/fields.yml`) | **`linux.iostat`** — performance dimension, not security object |
+| 2 — Resource / object | Software RAID array | md device | general | storage-array | moderate | `system.raid.name`, `system.raid.level`, `system.raid.status` (`raid/fields/fields.yml`) | **`linux.raid`** — array health dimension |
+
+**No meaningful audit target:** `conntrack`, `entropy`, `ksm`, `memory`, `network_summary`, `pageinfo` — aggregate kernel/network/memory gauges with no per-entity acted-upon object. Layer 1 (platform/cloud service) does not apply; this is on-host kernel telemetry, not a SaaS API invocation.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `host.name`, `host.hostname` | 2 | host | unknown (no fixtures) | n/a | context-only | no | Measurement subject on all streams; not `host.target.*` |
+| `system.socket.remote.ip`, `system.socket.remote.port` | 2 | host | unknown (no fixtures) | partial | context-only | no | `socket/fields/fields.yml` — network peer endpoint, not audit target |
+| `system.socket.local.ip`, `system.socket.local.port` | 2 | host | unknown (no fixtures) | n/a | context-only | no | `socket/fields/fields.yml` — local bind endpoint |
+| `system.socket.remote.host`, `system.socket.remote.etld_plus_one` | 3 | general | unknown (no fixtures) | n/a | context-only | no | `socket/fields/fields.yml` — optional DNS artifact |
+| `system.users.remote_host` | 2 | host | unknown (no fixtures) | partial | context-only | no | `users/fields/fields.yml` — remote client string; no `destination.host.*` mapping |
+| `source.ip`, `source.port` | 2 | host | unknown (no fixtures) | partial | context-only | no | `users/fields/ecs.yml` — session client endpoint; not de-facto audit target |
+| `system.service.name`, `systemd.unit` | 2 | service | unknown (no fixtures) | n/a | context-only | no | `service/fields/fields.yml` — monitored unit dimension |
+| `linux.iostat.name` | 2 | general | unknown (no fixtures) | n/a | context-only | no | `iostat/fields/fields.yml` — disk device dimension |
+| `system.raid.name`, `system.raid.level`, `system.raid.status` | 2 | general | unknown (no fixtures) | n/a | context-only | no | `raid/fields/fields.yml` — RAID array dimension |
+
+No `user.target.*`, `host.target.*`, `service.target.*`, `entity.target.*`, or `destination.*` identity fields anywhere in the package.
+
+### Gaps and mapping notes
+
+- **Metrics-only, no audit events:** All eleven streams are gauges/counters or poll-based socket snapshots. Per-event caller identity, authorization outcomes, and operation verbs are absent by design.
+- **No `event.action` anywhere:** Not declared in field schemas, not populated by agent, no ingest pipeline to map vendor action fields. State labels (`system.service.state`, `system.users.state`, `system.raid.sync_action`) describe current conditions, not discrete actions — do not substitute for `event.action`.
+- **No ingest pipelines or fixtures:** Cannot trace ECS population through pipeline steps; evidence is field declarations (`fields.yml`, `ecs.yml`) and README only.
+- **`linux.users` lacks ECS user mapping:** Session metadata stays under `system.users.*`; `system.users.id` is a logind session ID, not `user.id`. No username field on this stream despite interactive-session semantics.
+- **`source.ip` on users stream:** Declared for remote sessions but represents a network client endpoint, not a de-facto audit target; no `destination.user.*` / `destination.host.*` counterparts.
+- **`user.id` / `user.full_name` on socket stream:** Process owner from `/proc`, useful for correlation but not proof of interactive login principal.
+- **No ECS `*.target.*` fields:** Aligns with target-fields audit classification **`none`**. Enhancement to official target buckets is not applicable without log-based audit semantics.
+- **Pair with log integrations:** System auth logs, Auditd, Sysmon for Linux, or Elastic Defend for audit-grade actor/target and `event.action` coverage.
+
+### Per-stream notes
+
+#### users
+
+Polls systemd logind via D-Bus (`docs/README.md`). Audit-adjacent (interactive access visibility) but **not** login/logout events—periodic state only. Fields describe session metadata (`system.users.type`, `seat`, `scope`, `state`, `remote`) and root PID (`leader`) without ECS `user.*`. Remote sessions expose `system.users.remote_host` and `source.ip`/`source.port`. **`system.users.state`** is session state, not an `event.action` candidate.
+
+#### socket
+
+Event-like metric stream: one document per **new** TCP socket detected by polling `/proc` (kernel ≥ 2.6.14). Richest actor/target hints—`process.*`, `user.id`, `user.full_name`, local/remote IP/port, optional reverse DNS (`socket.reverse_lookup.enabled`, default false). Short polling interval recommended. Not a firewall or flow log; no bytes/packets, direction, or allow/deny outcome. **No `event.action`** — implicit socket discovery only; no vendor operation field to map.
+
+#### service
+
+Reports systemd unit load/activity state and resource usage (CPU, memory, network, task count). Measurement target is the named service (`system.service.name` / `systemd.unit`); `user.name` and `process.*` support correlation with auth or process audit logs. State fields (`system.service.state`, `.sub_state`, `.load_state`) are gauge snapshots, not discrete change events and not `event.action` candidates.
+
+#### conntrack, entropy, ksm, memory, network_summary, pageinfo
+
+Pure host/kernel telemetry. `host.*` metadata only; no user, service, or peer identity.
+
+#### iostat, raid
+
+Infrastructure measurement dimensions (disk device, RAID array). Useful for asset context but not security audit targets.
+
+## Example Event Graph
+
+The Linux Metrics integration has no `sample_event.json` or pipeline `*-expected.json` fixtures under `packages/linux/` (only a Kibana dashboard JSON). All eleven streams are **metrics-only**—periodic host telemetry and state snapshots, not audit logs or discrete security events. **No per-event graph — time-bucketed metrics only.** ECS `event.action` is absent across the package; no stream records a named operation verb suitable for an Actor → action → Target chain grounded in fixture data.
+
+The streams with the richest audit-adjacent identity signals (`linux.socket`, `linux.users`, `linux.service`) still lack fixtures and `event.action`, so illustrative graphs cannot be cited here without inventing field values. For true Actor → event.action → Target examples on Linux hosts, use log-based integrations (System auth logs, Auditd, Sysmon for Linux, Elastic Defend).
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `system` + `linux/metrics` inputs per `manifest.yml`; eleven `data_stream/` directories, all `type: metrics`). Router: **`event.dataset`** (e.g. `linux.socket`, `linux.users` from `data_stream/*/fields/base-fields.yml`); scope with `FROM metrics-*` or `FROM metrics-linux-*`. **No Tier A fixtures** — no `sample_event.json`, `*-expected.json`, or ingest pipelines under `packages/linux/`; evidence is field declarations (`fields.yml`, `ecs.yml`) and README only. Pass 4 is **fill-gaps-only**, but this integration is **metrics-only**: periodic gauges and poll-based snapshots with **no `event.action`**, no discrete security/administration verbs, and no ECS `*.target.*` at collection (target-fields audit classification **`none`**). Pass 3 confirms **no per-event Actor → action → Target graph**. **No `EVAL` / `CASE` blocks are produced** — all eleven datasets under **Streams excluded**; do not promote `user.id` / `system.socket.remote.*` / `system.users.*` into audit actor/target columns. Cross-package queries use unscoped `FROM` (no `WHERE event.dataset` filter); embed `event.dataset == "linux.socket"` (etc.) in every CASE fallback branch when EVAL is added. **Pass 4 (CASE syntax + tautology):** Elastic Agent populates identity and peer fields at collection (`socket/fields/ecs.yml`, `users/fields/fields.yml`) with no alternate query-time vendor path — omit columns from ES|QL rather than **4-arg** `CASE(actor_exists, col, bare_field, null)` / `CASE(target_exists, col, bare_field, null)` (bare field parses as a **condition**, not a fallback) or **4-arg** `CASE(flag, col, col, null)` (identity no-op). Even valid **3-arg** `CASE(user.name IS NOT NULL, user.name, user.full_name)` on `linux.socket` is omitted: `user.full_name` is process-owner context, not audit `user.name`, and `actor_exists` true from `user.id` must not gate `user.name` via flag-based preserve.
+
+### Dataset inventory
+
+| data_stream.dataset / `event.dataset` | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `linux.conntrack` | kernel metrics | — | — | none |
+| `linux.entropy` | kernel metrics | — | — | none |
+| `linux.iostat` | disk metrics | — | — | none |
+| `linux.ksm` | kernel metrics | — | — | none |
+| `linux.memory` | kernel metrics | — | — | none |
+| `linux.network_summary` | network metrics | — | — | none |
+| `linux.pageinfo` | kernel metrics | — | — | none |
+| `linux.raid` | storage metrics | — | — | none |
+| `linux.service` | systemd state | — | — | none |
+| `linux.socket` | socket snapshot | — | — | none |
+| `linux.users` | logind session state | — | — | none |
+
+### Field mapping plan
+
+No actor, target, or `event.action` destination columns are populated. Audit-adjacent fields on `linux.socket` / `linux.users` / `linux.service` describe measurement dimensions or correlation context (Pass 2), not principals or acted-upon resources in an audit trail. Query-time `CASE` on agent-populated `user.id`, `user.full_name`, `host.name`, or `system.socket.remote.*` would conflate process-owner / logind / network-peer context with audit actor/target identity. Columns below are **collection-time only — omit from ES|QL** (no alternate indexed source for audit extraction).
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit actor on any stream; `host.*` is collection scope |
+| `user.id` | — | `event.dataset == "linux.socket"` | high | **collection-time only — omit from ES\|QL** — `socket/fields/ecs.yml`; process owner from `/proc`, not login principal (Pass 2 partial); no vendor fallback path |
+| `user.name` | — | `event.dataset == "linux.socket"` | high | **omit** — `user.full_name` only at collection; forbidden **4-arg** `CASE(actor_exists, user.name, user.full_name, null)` (3rd arg is condition); valid **3-arg** `CASE(user.name IS NOT NULL, user.name, user.full_name)` still omitted (metrics process-owner, not audit principal) |
+| `user.full_name` | — | `event.dataset == "linux.socket"` | high | **collection-time only — omit from ES\|QL** — forbidden **4-arg** `CASE(actor_exists, user.full_name, user.full_name, null)` (tautology + flag-based preserve) |
+| `host.name` / `host.hostname` | — | all datasets | high | **collection-time only — omit from ES\|QL** — measurement subject on all streams (`service/fields/ecs.yml`, `agent.yml`); not audit principal |
+| `user.name` | — | `event.dataset == "linux.service"` | moderate | **collection-time only — omit from ES\|QL** — `service/fields/ecs.yml`; systemd unit user, not interactive actor |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit target; peers/dimensions are context-only (Pass 2/3) |
+| `host.target.ip` | — | `event.dataset == "linux.socket"` | high | **omit** — `system.socket.remote.ip` is network peer context, not `host.target.*`; forbidden **4-arg** `CASE(target_exists, host.target.ip, system.socket.remote.ip, null)` (`system.socket.remote.ip` parses as condition); use **5-arg** `CASE(host.target.ip IS NOT NULL, host.target.ip, event.dataset == "linux.socket", system.socket.remote.ip, null)` only if audit semantics applied — they do not on this stream |
+| `host.target.*` | — | `event.dataset == "linux.users"` | high | **omit** — `source.ip` / `system.users.remote_host` are session client endpoints, not de-facto `host.target.*` (Pass 2) |
+| `user.target.*` / `service.target.*` | — | all datasets | high | **omit** — no ECS `*.target.*` in package; wiring `user.id` or `system.service.name` into target columns duplicates measurement dimensions |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | `event.action` absent from all field schemas; state labels (`system.service.state`, `system.users.state`, `system.raid.sync_action`) are gauges, not verbs |
+| `event.action` | — | all datasets | high | **omit** — not declared in `ecs.yml` / `base-fields.yml`; field absent so no preserve branch; forbidden **4-arg** `CASE(action_exists, event.action, event.action, null)` (tautology); do not substitute state gauges |
+
+### Detection flags (mandatory — run first)
+
+Not applicable — all streams excluded (metrics-only; no defensible preserve-first fallback without misclassifying process owner, logind session metadata, or remote socket peer as audit actor/target). Do not emit detection flags solely to wrap tautological `CASE` on agent-populated columns.
+
+### Combined ES|QL — actor fields
+
+Not applicable — all streams excluded (metrics-only). Do not emit **4-arg** `CASE(actor_exists, user.id, user.id, null)`, `CASE(actor_exists, user.full_name, user.full_name, null)`, `CASE(actor_exists, host.name, host.name, null)`, or **4-arg** `CASE(user.name IS NOT NULL, user.name, user.full_name, null)` on `linux.socket` — collection-time fields with no defensible audit fallback (`socket/fields/ecs.yml`, `users/fields/fields.yml`).
+
+### Combined ES|QL — event action
+
+Not applicable — all streams excluded; no `event.action` candidate with fixture or pipeline evidence. Do not map `system.service.state`, `system.users.state`, or `system.raid.sync_action` into `event.action` fallback branches.
+
+### Combined ES|QL — target fields
+
+Not applicable — all streams excluded (metrics-only). Do not emit **4-arg** `CASE(target_exists, host.target.ip, system.socket.remote.ip, null)` or **5-arg** peer promotion to `host.target.ip`; do not promote `system.service.name` / `linux.iostat.name` to `service.target.*` / `entity.target.*`.
+
+### Streams excluded
+
+- **`linux.conntrack`**, **`linux.entropy`**, **`linux.ksm`**, **`linux.memory`**, **`linux.network_summary`**, **`linux.pageinfo`** — kernel/network/memory gauges; `host.*` metadata only.
+- **`linux.iostat`**, **`linux.raid`** — disk/RAID measurement dimensions (`linux.iostat.name`, `system.raid.*`); not security audit targets.
+- **`linux.service`** — systemd unit state and resource gauges (`system.service.state`, `systemd.unit`); no start/stop/restart `event.action`.
+- **`linux.socket`** — one document per newly detected TCP socket (`docs/README.md`); `user.id` / `user.full_name` / `process.*` are process-owner correlation, not login principal; `system.socket.remote.*` is network peer context, not `host.target.*`.
+- **`linux.users`** — logind session snapshot (`system.users.*`, optional `source.ip`); not login/logout events; no ECS `user.name` / `user.id`.
+
+### Gaps and limitations
+
+- **Metrics-only by design:** All eleven streams are `type: metrics` per `data_stream/*/manifest.yml`; pairing with System auth logs, Auditd, Sysmon for Linux, or Elastic Defend is required for audit-grade `event.action` and `*.target.*`.
+- **No fixtures or ingest pipelines:** Cannot fixture-verify ES|QL sources; field declarations only — any `CASE` on `linux.socket` `user.*` would be heuristic and contradict Pass 2 **Mapping correct?** = partial for socket owner.
+- **Target-fields audit `none`:** No `destination.*` or ECS `*.target.*` in package; query-time promotion would guess wrong.
+- **`linux.users` `source.ip`:** Remote session client endpoint, not de-facto `host.target.ip`.
+- **Pass 2 enhancement alignment:** Do not substitute `system.service.state` / `system.users.state` / `system.raid.sync_action` for `event.action` at query time.
+- **No tautological CASE (Pass 4 #10):** `user.id`, `user.full_name`, and `host.name` on `linux.socket` and `host.*` on all streams are agent-populated at collection with no alternate vendor path; `system.socket.remote.*` and `linux.users` `source.ip` are peer/session context, not `host.target.*`. Emitting **4-arg** `CASE(actor_exists|target_exists, col, col, null)` or dataset-routed fallbacks that read the same column would be identity no-ops or violate Pass 2/3 metrics semantics.
+- **Pass 4 CASE syntax:** No fenced `esql` blocks — metrics-only, all streams excluded per `esql-entity-mapping.md` linux example. Anti-patterns above document forbidden **4-arg** flag-based preserve and bare-field-as-condition forms only; no `target.user.*` / `target.entity.type`; no detection-flag wrapper `EVAL` solely to host tautological `CASE`.
diff --git a/dev/domain/p1/m365_defender.md b/dev/domain/p1/m365_defender.md
new file mode 100644
index 00000000000..182bb5a8ecf
--- /dev/null
+++ b/dev/domain/p1/m365_defender.md
@@ -0,0 +1,591 @@
+# m365_defender
+
+## Product Domain
+
+Microsoft Defender XDR (Extended Detection and Response) is a unified pre- and post-breach enterprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. Formerly known as Microsoft 365 Defender, it natively integrates signals from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Purview Data Loss Prevention into a single cross-domain security platform.
+
+At the operational level, Defender XDR correlates alerts from these workloads into incidents that represent attack stories spanning multiple stages and surfaces. Security analysts investigate incidents in the Defender portal, pivoting across device telemetry, identity sign-ins, email threats, cloud app activity, and automated response actions. Advanced Hunting and the Streaming API expose raw event tables for threat hunting and custom analytics, while the Microsoft Graph Security API surfaces normalized alerts and incidents for SIEM integration.
+
+The platform's data model spans endpoint process, file, network, and registry events; identity authentication and directory queries; email delivery, attachment, and post-delivery security events; cloud app and audit activity; and vulnerability assessments from Defender for Endpoint. Organizations deploy Defender XDR as part of Microsoft 365 E5 or standalone licensing to gain centralized visibility, automated investigation and remediation, and cross-workload threat correlation.
+
+The Elastic Microsoft Defender XDR integration ingests alerts, incidents, streaming events, and vulnerability assessments via Microsoft Graph Security API, Azure Event Hub, and the Defender for Endpoint API. Events are normalized to ECS-aligned fields for SIEM correlation, incident response, vulnerability management, and threat hunting in Elastic Security.
+
+## Data Collected (brief)
+
+- **Incidents** (`m365_defender.incident`): Correlated attack stories from Microsoft Graph Security API `/security/incidents`, including severity, status, classification, associated alerts, and evidence from Defender XDR, Endpoint, Office 365, Identity, Cloud Apps, and Purview DLP.
+- **Alerts** (`m365_defender.alert`): Individual detections from Microsoft Graph Security API `/security/alerts_v2`, with threat categorization, severity, service source, and entity context (users, devices, files, IPs, URLs).
+- **Events** (`m365_defender.event`): Advanced Hunting events streamed via Azure Event Hub from the Defender XDR Streaming API—covering alert evidence and info, device process/file/network/registry/logon events, email and Teams message events, identity logon and directory events, cloud app and audit activity, and UEBA behavior entities.
+- **Vulnerabilities** (`m365_defender.vulnerability`): Software vulnerability assessments exported from Microsoft Defender for Endpoint API `/api/machines/SoftwareVulnerabilitiesExport`, with CVE details, affected software, device context, and risk scoring for vulnerability management workflows.
+
+## Expected Audit Log Entities
+
+Microsoft Defender XDR is a detection and telemetry platform, not a single audit-log product. The four data streams differ in audit semantics:
+
+- **`event`** — Advanced Hunting tables streamed via Azure Event Hub; includes true audit-adjacent activity (`CloudAuditEvents`, `CloudAppEvents`, identity logon/query) plus endpoint, email, and behavior telemetry.
+- **`alert`** — individual Graph Security API detections with typed `evidence[]` arrays and role metadata.
+- **`incident`** — correlated attack stories embedding nested alert evidence plus SOC workflow fields (`assignedTo`, comments).
+- **`vulnerability`** — Defender for Endpoint software-vulnerability inventory sync; actor/target audit semantics do not apply.
+
+There is no unified vendor `actor`/`target` pair. Initiating principals map to ECS `user.*`, `process.*`, and `source.*`; acted-upon entities map to ECS `host.*`, `file.*`, `process.*`, `destination.*`, vendor `m365_defender.event.target.*`, or alert/incident `evidence.*`. **No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated** (`dev/target-fields-audit/out/security/target_fields_audit.csv` — no rows). Target-fields audit classifies this package as **`strong_candidate`** with **`pipeline_actor=true`**, **`pipeline_entity_other=true`**, **`pipeline_dest_network=true`**, and **`pipeline_dest_identity=false`** (`dev/target-fields-audit/out/security/target_enhancement_packages.csv`).
+
+**`event.action` coverage varies by stream.** The **`event`** stream maps vendor `ActionType` → `m365_defender.event.action.type` → ECS `event.action` on device, identity/cloud-app, and email/message sub-pipelines, with category-aware normalization (e.g. file `creation`/`deletion`, process `start`). Alert/behavior hunting tables and inventory snapshots (`DeviceInfo`, `IdentityInfo`) retain vendor action type without ECS mapping. **`alert`** and **`incident`** populate `event.action` as an array from nested evidence `detectionStatus` (`detected`, `prevented`) — detection outcome, not the alert title or MITRE category. **`vulnerability`** has no per-event action (posture inventory sync).
+
+### Event action (semantic)
+
+Defender XDR uses **`ActionType`** (Advanced Hunting) and **`detectionStatus`** (Graph alerts/incidents) as the primary operation verbs. The integration normalizes hunting `ActionType` values to lowercase hyphenated ECS `event.action` where sub-pipelines copy from `m365_defender.event.action.type`.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `logonsuccess`, `logonfailed` | authentication | high | `event.action` in `test-app-and-identity.log-expected.json`, `test-device.log-expected.json` | **`event`** — identity/device logon tables |
+| `samr-query`, `dns-query`, `write-deployments` | data_access / administration | high | `samr-query`, `write-deployments`, `dns-query` fixtures (`test-app-and-identity.log-expected.json`) | **`event`** — identity query, cloud app activity |
+| `update` | configuration_change | high | Cloud audit `ActionType: Update` → `event.action: update` (`test-cloud.log-expected.json`) | **`event`** — `CloudAuditEvents`; alternate ARM op in `m365_defender.event.properties_operation_name` (`Microsoft.Storage/storageAccounts/write`) unmapped |
+| `processcreated`, `start`, `creation`, `deletion`, `modification`, `rename`, `load` | process / file / registry | high | Device pipeline normalizes file/registry/process `ActionType` to ECS-friendly verbs; `ProcessCreated` → `start` on cloud process (`test-cloud.log-expected.json`) | **`event`** — device + `CloudProcessEvents` (via `pipeline_device.yml`) |
+| `dpapiaccessed`, `readprocessmemoryapicall`, `createremotethreadapicall`, `powershellcommand`, `dnsconnectioninspected`, … | detection / api_call | high | Raw vendor `ActionType` copied when not file/registry/process-normalized (`test-device.log-expected.json`) | **`event`** — endpoint telemetry and API-call events |
+| `phish-zap`, `dpapiaccessed` (post-delivery) | detection / email | high | `ActionType: Phish ZAP` → `phish-zap` (`test-message.log-expected.json`); email post-delivery (`test-email.log-expected.json`) | **`event`** — email/message tables; vendor also retains `m365_defender.event.action.value`/`trigger`/`result` |
+| `dataaggregation` | data_access | high | `CloudStorageAggregatedEvents` fixture (`test-cloud.log-expected.json`) | **`event`** — aggregated cloud storage metrics, not per-object CRUD |
+| `SuspiciousPowerShellCommand` (vendor) | detection | high (vendor) | `ActionType` on `BehaviorInfo` → `m365_defender.event.action.type` only (`test-behavior.log-expected.json`) | **`event`** — UEBA behavior; **no** ECS `event.action` |
+| Alert title / category (vendor) | detection | high (vendor) | `Title`, `Category` on `AlertInfo` (`test-alert.log-expected.json`); no `event.action` | **`event`** — hunting alert metadata |
+| `detected`, `prevented` | detection | high | `event.action: ["detected"]` on alert fixtures; `prevented` on incident fixtures | **`alert`**, **`incident`** — evidence `detectionStatus`, not hunting `ActionType` |
+| — | — | — | No `event.action` in `sample_event.json` or vulnerability fixtures | **`vulnerability`** — inventory sync; no meaningful per-event verb |
+
+Inventory tables (`DeviceInfo`, `IdentityInfo`, `event.kind: asset`) and alert/behavior hunting metadata rows have **no per-event action** — they describe entity state or detection context, not an operation performed at ingest time.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `json.properties.ActionType` → `m365_defender.event.action.type` → `event.action` | yes (**device**, **app/identity**, **email/message**) | yes | `logonsuccess`, `samr-query`, `update`, `dpapiaccessed`, `phish-zap`, `start`, `creation`, … | no | `pipeline_device.yml:676-677`, `:2638-2694`; `pipeline_app_and_identity.yml:414-415`, `:1019-1032`; `pipeline_email.yml:264-265`, `:557-570`; fixtures above |
+| Category-normalized overrides (`creation`, `deletion`, `modification`, `start`, `load`) | yes (**device** file/registry/process/driver) | yes | `creation`, `deletion`, `modification`, `rename`, `start`, `load` | no | `pipeline_device.yml:2638-2677` — maps vendor `FileCreated`/`ProcessCreated`/… to ECS-friendly verbs before lowercase/gsub |
+| `json.properties.ActionType` → `m365_defender.event.action.type` (**alert/behavior** sub-pipeline) | **no** (vendor only) | n/a | `SuspiciousPowerShellCommand`, `ProcessCreated` (AlertEvidence) | **yes** | `pipeline_alert.yml:340-342` renames only; `test-behavior.log-expected.json`, `test-alert.log-expected.json` (AlertEvidence has `event.action: start` when routed through device pipeline for process events, but AlertInfo/BehaviorInfo lack ECS action) |
+| `json.properties.OperationName` / `m365_defender.event.properties_operation_name` | no | n/a | `Microsoft.Storage/storageAccounts/write` | **yes** | Cloud audit fixture (`test-cloud.log-expected.json`); richer ARM API name than `ActionType: Update` |
+| `json.properties.ActivityType` → `m365_defender.event.activity.type` | no | n/a | — | partial | Renamed in `pipeline_app_and_identity.yml:562-564`; parallel activity label, not copied to `event.action` |
+| `m365_defender.event.action.value`, `.trigger`, `.result` | no | n/a | `Moved to quarantine`, `Automatic ZAP`, `Quarantined successfully` | partial | Email/message post-delivery (`pipeline_email.yml:410-420`); remediation detail, not primary verb |
+| `json.evidence[].detectionStatus` → `event.action` | yes (**alert**, **incident**) | partial | `detected`, `prevented` | partial | `alert/default.yml:1475-1478`, `incident/default.yml` (same pattern); detection **outcome** per evidence item, not alert title (`m365_defender.alert.title`) or category |
+| `m365_defender.alert.title` / `m365_defender.alert.category` | no | n/a | `Suspicious PowerShell command line`, `Execution` | **yes** | Alert/incident fixtures; title is human-readable detection name; category maps to `threat.tactic.name`, not `event.action` |
+| `m365_defender.event.operation_name` (Event Hub envelope) | no | n/a | `Publish` | no | Streaming transport metadata on all hunting tables — not the security operation |
+| — (**vulnerability**) | no | n/a | — | no | `vulnerability/default.yml` sets `event.category: vulnerability` only; `sample_event.json` has no `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event` | yes (device, identity, cloud, email, message); **no** (DeviceInfo, IdentityInfo, AlertInfo, BehaviorInfo) | yes (device/app_identity/email); **no** (alert/behavior sub-pipeline) | `m365_defender.event.action.type` ← `ActionType` | high | `test-device.log-expected.json`, `test-app-and-identity.log-expected.json`, `test-cloud.log-expected.json`, `test-message.log-expected.json`; gap: `test-behavior.log-expected.json`, AlertInfo rows in `test-alert.log-expected.json` |
+| `alert` | yes (array) | yes | `evidence[].detectionStatus` | medium | `test-alert.log-expected.json`: `["detected"]`; alternate: `m365_defender.alert.title` |
+| `incident` | yes (array) | yes | nested alert `evidence[].detectionStatus` | medium | `test-incident.log-expected.json`: `detected`, `prevented` |
+| `vulnerability` | **no** | **no** | n/a — inventory sync | n/a | `sample_event.json`, `vulnerability/default.yml`; no vendor action field |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Endpoint initiating user | user | — | high | `InitiatingProcessAccountName` / `AccountName` / `RequestAccountName` → `user.name`, `user.domain`, `user.id` (SID); vendor `m365_defender.event.initiating_process.account_*` | **`event`** (device tables) — `administrator1` in `test-device.log-expected.json` |
+| Identity / directory principal | user | — | high | `AccountName`, `AccountSid`, `AccountUpn`, `AccountObjectId` → `user.*` on `IdentityLogonEvents`, `IdentityQueryEvents`, `IdentityDirectoryEvents` | **`event`** — machine account `D2WXA1303R$` as actor on SAMR query (`test-app-and-identity.log-expected.json`) |
+| Cloud app actor | user | — | high | `AccountId` / `AccountDisplayName` → `user.id`, `user.name` on `CloudAppEvents` | **`event`** — `Write Deployments` / Teams activity in `test-app-and-identity.log-expected.json` |
+| Email / Teams sender | user | — | high | Sender fields → `email.from.address`, `user.email`, `user.name`; vendor `m365_defender.event.sender.*` | **`event`** — `test-email.log-expected.json`, `test-message.log-expected.json` |
+| UEBA behavior subject | user | — | high | `AccountName` / `AccountSid` / `AccountObjectId` → `user.*` on `BehaviorEntities` | **`event`** — `test-behavior.log-expected.json` |
+| Cloud workload process owner | user | — | high | `AccountName` → `user.name` (e.g. `root`) | **`event`** (cloud process) — `test-cloud.log-expected.json` |
+| Initiating process | general | process | high | `InitiatingProcess*` → `process.*` and `m365_defender.event.initiating_process.*` (command line, hashes, parent) | **`event`** (device) — process actor alongside account when both present |
+| Sensor / source host | host | — | high | `DeviceId` / `DeviceName` → `host.id`, `host.name`; identity events also set actor-side `host.ip` | **`event`** — sensor context, not the remote target on identity queries |
+| Threat actor label | user | threat_group | medium | `actorDisplayName` → `m365_defender.alert.actor_display_name` / `m365_defender.incident.alert.actor_display_name` | **`alert`**, **`incident`** — adversary/threat-group name; null in most fixtures |
+| SOC incident assignee | user | soc_analyst | medium | `assignedTo` → `source.user.name`, `source.user.email`, `related.user` | **`alert`**, **`incident`** — analyst owner, not attack actor (`test-incident.log-expected.json`: `KaiC@contoso.onmicrosoft.com`) |
+| Alert/incident evidence user | user | — | high | `userEvidence`, `mailboxEvidence`, `processEvidence.userAccount`, device `loggedOnUsers` → `user.*`, `process.user.*`, `related.user` | **`alert`**, **`incident`** — `CDPUserIS-38411` in `test-alert.log-expected.json`; role (actor vs impacted) ambiguous without `roles` |
+| Email alert sender | user | — | high | `p1_sender` / `p2_sender` / `senderIp` → `email.from.address`, `email.sender.address`, `source.ip` | **`alert`**, **`incident`** — Office 365 / MCAS email alerts in `test-incident.log-expected.json` |
+| Identity asset snapshot | user | — | high | `IdentityInfo` rows (`event.kind: asset`) populate `user.*` / `m365_defender.event.account.*` | **`event`** — inventory snapshot, not an action actor |
+| Vulnerability scanner | service | — | low | No human actor; `observer.vendor` / `vulnerability.scanner.vendor: Microsoft` | **`vulnerability`** — automated assessment only |
+
+**`CloudAuditEvents`** fixtures expose client `source.ip` and `user_agent.original` but often lack an explicit user principal — actor is network-context only on those rows.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name`, `user.id`, `user.domain`, `user.email`, `user.full_name` | Endpoint, identity, cloud-app, behavior principal | yes | yes | high | `pipeline_device.yml`, `pipeline_app_and_identity.yml`, `pipeline_cloud.yml`, `pipeline_behavior.yml`; `test-device.log-expected.json`, `test-app-and-identity.log-expected.json` |
+| `process.*`, `process.parent.*`, `process.hash.*` | Initiating or evidence process | yes | yes | high | `pipeline_device.yml` ← `InitiatingProcess*`; alert/incident evidence script → `process.*` (`test-alert.log-expected.json`) |
+| `process.user.name`, `process.user.id` | Process owner from evidence | yes | yes | high | Alert/incident pipeline from `processEvidence.userAccount` |
+| `host.id`, `host.name`, `host.ip`, `host.hostname` | Sensor device / evidence device | yes | partial | high | ← `DeviceId`/`DeviceName`; evidence `deviceEvidence` → `host.*`; on identity events `host.*` is source sensor, not query target |
+| `email.from.address`, `email.sender.address` | Email/Teams sender | yes | yes | high | Email/message pipelines; alert email evidence |
+| `source.ip`, `source.geo.*` | Client IP on cloud audit, email sender, alert evidence | yes | yes | high | `CloudAuditEvents` fixture (`81.2.69.142`); `senderIp` on alert evidence |
+| `source.user.name`, `source.user.email`, `source.user.domain` | SOC assignee (not threat actor) | yes | partial | high | ← `assignedTo` dissect (`incident/default.yml`, `alert/default.yml`); semantically analyst workflow, not attacker |
+| `application.name` | SaaS workload label (Office 365, Active Directory, Microsoft Azure) | yes | n/a | high | ← `m365_defender.event.application` (`event/default.yml`); scope/context, not caller identity |
+| `cloud.account.id`, `cloud.provider` | Tenant / cloud scope | yes | n/a | high | Alert/incident `tenantId`; device VM metadata; tenancy context, not actor |
+| `related.user`, `related.hosts`, `related.ip`, `related.hash` | Correlation arrays | yes | partial | high | Aggregates users/hosts/IPs from evidence and events; does not distinguish actor vs target role |
+| `m365_defender.event.initiating_process.*` | Rich initiating-process identity | yes (vendor) | n/a | high | Full vendor tree when ECS `process.*` is trimmed; `test-device.log-expected.json` |
+| `m365_defender.event.account.*` | Identity account vendor copy | yes (vendor) | n/a | high | Parallel to ECS `user.*` on identity/cloud-app tables |
+| `m365_defender.alert.actor_display_name` | Threat-group display name | yes (vendor) | n/a | medium | ← `actorDisplayName`; rarely populated in fixtures |
+| `m365_defender.alert.evidence[].user_account.*` | Evidence user detail | yes (vendor) | n/a | high | Canonical Graph evidence; ECS `user.*` is flattened array from all evidence types |
+| `observer.vendor`, `vulnerability.scanner.vendor` | Scanner identity | yes | n/a | low | **`vulnerability`** only — `default.yml` sets `Microsoft` |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | SaaS or cloud workload invoked | Microsoft Azure, Office 365, Active Directory, Microsoft Teams | service | — | high | `application.name` ← `Application` property; `event.provider` / `m365_defender.alert.service_source` on alerts | **`event`** cloud/identity tables; **`alert`**, **`incident`** via `productName` / `serviceSource` |
+| 2 — Resource / object | Onboarded endpoint (sensor or evidence) | Endpoint device | host | — | high | `host.*`, `device.id` ← `DeviceId`/`DeviceName`; evidence `deviceEvidence` | All streams except pure cloud-audit rows |
+| 2 — Resource / object | Remote or created process | Process | general | process | high | `process.*`; non-ECS `Target.process.*` on remote API calls (`pipeline_device.yml`) | **`event`** device; **`alert`**, **`incident`** `processEvidence` |
+| 2 — Resource / object | File / attachment / registry key | File or registry object | general | file | high | `file.*`; registry vendor fields on device/alert evidence | **`event`** device/email; **`alert`**, **`incident`** `fileEvidence` |
+| 2 — Resource / object | Identity query / logon target host | Remote domain controller or queried device | host | — | high | `m365_defender.event.target.device_name`, `m365_defender.event.destination.device_name`, `destination.ip`/`destination.port` | **`event`** identity — SAMR to `d2win02r` (`test-app-and-identity.log-expected.json`) |
+| 2 — Resource / object | Identity query target account | Directory user | user | — | medium | `m365_defender.event.target.account_upn`, `target.account_display_name`, `query.target` | **`event`** identity — pipeline support; empty in most fixtures |
+| 2 — Resource / object | Cloud ARM / K8s / storage resource | Cloud resource | general | cloud_resource | high | `m365_defender.event.resource_id`, `azure_resource_id`, `object.type`, `resource.*` | **`event`** `CloudAuditEvents`, `CloudAppEvents`, `CloudProcessEvents`, `CloudStorageAggregatedEvents` |
+| 2 — Resource / object | Email / Teams recipient | Mailbox user | user | — | high | `email.to.address`, `m365_defender.event.recipient.*` | **`event`** email/message tables |
+| 2 — Resource / object | SaaS app instance (alert evidence) | Cloud application | service | — | high | `cloudApplicationEvidence` → vendor `m365_defender.alert.evidence` app fields | **`alert`**, **`incident`** — Skype exfiltration in `test-incident.log-expected.json` |
+| 2 — Resource / object | Vulnerable software on endpoint | Installed package | general | software_package | high | `package.name`, `package.version`, `m365_defender.vulnerability.software_*` | **`vulnerability`** — host is impacted asset; software+CVE is finding target |
+| 2 — Resource / object | CVE finding | Vulnerability record | general | cve | high | `vulnerability.id`, `vulnerability.cve`, `vulnerability.severity` | **`vulnerability`** |
+| 3 — Content / artifact | Embedded or malicious URL | URL | general | url | high | `url.*`, `m365_defender.event.url*`, alert `urlEvidence` | **`event`** email/message/behavior; **`alert`**, **`incident`** |
+| 3 — Content / artifact | Email message cluster / analyzed message | Email message | general | email_message | high | `email.*`, `m365_defender.alert.evidence.subject`, network/message IDs | **`alert`**, **`incident`** mail evidence |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `application.name` | 1 | service | yes | yes | `service.target.name` | yes | ← `m365_defender.event.application` (`event/default.yml`); e.g. `Microsoft Azure`, `Office 365`, `Active Directory` in fixtures — Layer 1 invoked SaaS/cloud workload |
+| `event.provider`, `m365_defender.alert.service_source`, `m365_defender.alert.product_name` | 1 | service | yes | yes | `service.target.name` | yes | Defender workload that generated the detection (Endpoint, Office 365, Cloud Apps) |
+| `host.id`, `host.name`, `host.hostname`, `host.ip`, `host.os.*`, `device.id` | 2 | host | yes | partial | `host.target.*` | yes | Sensor host and evidence `deviceEvidence`; on identity events same fields describe source sensor — distinguish from query target below |
+| `process.*` (non-`Target`) | 2 | general | yes | partial | `entity.target.id` | yes | Created/affected process on sensor; alert `processEvidence` — target process, but same ECS field family as actor initiating process |
+| `Target.process.name`, `Target.process.command_line`, `Target.process.executable` | 2 | general | yes | partial | `entity.target.id` | yes | Non-standard ECS prefix; remote API call targets (`pipeline_device.yml`); pipeline-proven, sparse fixture coverage |
+| `file.*` | 2/3 | general | yes | yes | context-only | no | Device files, email attachments, alert `fileEvidence` |
+| `m365_defender.event.target.device_name` | 2 | host | yes (vendor) | yes | `host.target.name` | **yes** | ← `TargetDeviceName`/`DestinationDeviceName` (`pipeline_app_and_identity.yml`); identity query target — not migrated to ECS |
+| `m365_defender.event.destination.device_name` | 2 | host | yes (vendor) | yes | `host.target.name` | **yes** | Vendor copy parallel to `target.device_name`; SAMR fixture `d2win02r.d300b.cenlar.com` |
+| `destination.ip`, `destination.port` | 2 | host | yes | partial | context-only | partial | Identity query remote endpoint (`10.180.100.81:445`); network peer on device network events — verify table/action |
+| `destination.domain` | 2 | host | yes | partial | `host.target.name` | yes | DNS query target domain in identity fixtures (`_grpc_config.useast-comms.dgsecure.com`) |
+| `m365_defender.event.target.account_upn`, `target.account_display_name` | 2 | user | yes (vendor) | yes | `user.target.*` | **yes** | ← `TargetAccountUpn`/`TargetAccountDisplayName`; pipeline/fields support, empty in most fixtures |
+| `m365_defender.event.query.target` | 2 | user | yes (vendor) | yes | `user.target.name` | **yes** | SAMR query target `Server_Admin` (`test-app-and-identity.log-expected.json`) |
+| `m365_defender.event.resource_id`, `azure_resource_id`, `object.type` | 2 | general | yes (vendor) | yes | `entity.target.id` | yes | Cloud audit/app resource ARN or ARM ID; not promoted to ECS `resource.*` on all tables |
+| `resource.id`, `resource.name` | 2 | general | yes | partial | `entity.target.id` | yes | Cloud process events; vulnerability `resource.id` ← device ID |
+| `email.to.address`, `m365_defender.event.recipient.*` | 2 | user | yes | yes | `user.target.email` | yes | Mail recipient — de-facto user target, not `user.target.*` |
+| `user.*` from evidence | 2 | user | yes | partial | `user.target.*` | yes | Flattened from all evidence types; `roles`/`detailed_roles` (e.g. `compromised`) imply target relationship but are not mapped to ECS target fields |
+| `url.original`, `url.domain` | 3 | general | yes | yes | context-only | no | Email/message URLs; alert `urlEvidence` |
+| `package.name`, `package.version`, `vulnerability.*` | 2 | general | yes | yes | context-only | no | **`vulnerability`** finding tuple |
+| `cloud.account.id` | — | — | yes | n/a | context-only | no | Tenant scope on alerts/incidents/cloud rows — not a target |
+
+### Gaps and mapping notes
+
+- **No official ECS `*.target.*` fields** — target-fields audit confirms zero mapped target-tier fields; package is **`strong_candidate`** for enhancement (`target_enhancement_packages.csv`).
+- **Vendor `m365_defender.event.target.*` and `query.target`** are the best source of truth for identity audit targets (`TargetAccountUpn`, `TargetDeviceName`, `QueryTarget`) — retained vendor-only; should migrate to `user.target.*` / `host.target.*`.
+- **`destination.ip` / `destination.port` / `destination.domain`** on identity events are de-facto remote-host/query targets (`pipeline_app_and_identity.yml`), not `destination.user.*` (this package has **`pipeline_dest_identity=false`**). Network-context `destination.*` on device network tables may be flow peers — verify `network_direction` per action.
+- **`Target.process.*`** uses a non-standard top-level ECS prefix (capital `Target`) — enhancement candidate for `process` target entity or ECS `process.target.*` when remote API calls are the acted-upon process.
+- **`user.*` conflation** — the same ECS `user.name` array on alerts/incidents merges evidence users, logged-on users, and email senders without role separation; `roles`/`detailed_roles` stay vendor-only under `m365_defender.alert.evidence`.
+- **`source.user.*` from `assignedTo`** is the SOC analyst assignee — correct workflow mapping but must not be interpreted as the threat actor (distinct from `m365_defender.alert.actor_display_name`).
+- **`host.*` on identity events** describes the **source sensor** (`DeviceName`/`IPAddress`); the queried target is under vendor `target.device_name` / `destination.*`, not `host.target.*`.
+- **`application.name`** identifies the invoked Microsoft workload (Layer 1 target) but is not mapped to `service.target.name` or `cloud.service.name`.
+- **`CloudAuditEvents`** sample lacks explicit caller user — only `source.ip` and `user_agent.original`; principal identity may be absent in vendor payload.
+- **`IdentityInfo`** (`event.kind: asset`) and **`vulnerability`** are inventory/state sync — describe entity subjects, not per-action actor/target pairs.
+- **Alignment with target-fields audit:** `pipeline_actor=true`, `pipeline_entity_other=true` (vendor `*target*` paths and `Target.process.*`), `fixture_strong=true`; no `destination.user.*` pipeline mappings.
+- **`event.action` gaps:**
+  - **`pipeline_alert.yml`** (BehaviorInfo/BehaviorEntities, AlertInfo/AlertEvidence hunting tables) copies `ActionType` to `m365_defender.event.action.type` but never to ECS `event.action` — `SuspiciousPowerShellCommand` and alert metadata rows lack ECS verb (`test-behavior.log-expected.json`, AlertInfo in `test-alert.log-expected.json`).
+  - **Cloud audit** maps coarse `ActionType` (`Update`) while richer ARM operation name (`Microsoft.Storage/storageAccounts/write`) stays in `m365_defender.event.properties_operation_name` — consider as primary or secondary `event.action`.
+  - **`alert`/`incident`** use evidence `detectionStatus` (`detected`/`prevented`) as `event.action` — semantically detection outcome, not the operation that triggered the alert; `m365_defender.alert.title` and `.category` are better human-readable action candidates but unmapped.
+  - **Inventory hunting tables** (`DeviceInfo`, `IdentityInfo`) and **`vulnerability`** stream correctly have no per-event action.
+  - **Email/message** retains parallel remediation fields (`m365_defender.event.action.value`/`trigger`/`result`) vendor-only alongside normalized `event.action` from `ActionType`.
+
+### Per-stream notes
+
+#### `event`
+
+Advanced Hunting tables routed by `category` to sub-pipelines (`pipeline_device.yml`, `pipeline_app_and_identity.yml`, `pipeline_email.yml`, `pipeline_alert.yml`). True audit-adjacent tables include `CloudAuditEvents`, `CloudAppEvents`, and identity logon/query/directory events; endpoint/device tables are telemetry with clear initiating-process actors. **`event.action`** ← `ActionType` on device, identity/cloud-app, and email/message pipelines (lowercased, spaces → hyphens; file/registry/process categories get ECS-friendly verbs). **Gaps:** `pipeline_alert.yml` (behavior/alert hunting) and inventory tables (`DeviceInfo`, `IdentityInfo`) retain vendor action type without ECS mapping. Target semantics are action-specific: files/processes/registry on the sensor host, remote peers via `destination.*` on network/identity events, cloud resources on audit/app tables, and email/file/url entities on messaging tables. Layer 1 service is `application.name` (e.g. `Microsoft Azure`, `Active Directory`).
+
+#### `alert`
+
+Graph Security API `/security/alerts_v2` via `alert/default.yml`. **`event.action`** is an array aggregated from evidence `detectionStatus` (`detected` in fixtures) — not hunting `ActionType` or alert title. No attack actor field when `actorDisplayName` is null; evidence drives both actor and target ECS fields. Each evidence `@odata.type` maps to ECS categories while full graph context (including `roles`, `detailed_roles`, `verdict`) remains in `m365_defender.alert.evidence`. Distinguish threat actor (`actor_display_name`), SOC assignee (`source.user` from `assignedTo`), and evidence users/processes/devices.
+
+#### `incident`
+
+Graph Security API `/security/incidents` with embedded alert evidence — same evidence mapping as **`alert`**, plus incident-level `assignedTo` → `source.user.*`, comment authors in `related.user`, and nested `m365_defender.incident.alert.evidence`. **`event.action`** mirrors nested evidence `detectionStatus` (`detected`, `prevented` in fixtures). Targets are evidence-driven across the correlated attack story; `roles: compromised` on device evidence indicates target relationship (`test-incident.log-expected.json`).
+
+#### `vulnerability`
+
+Defender for Endpoint `/api/machines/SoftwareVulnerabilitiesExport` — inventory sync, not audit. **No human actor.** **No `event.action`** — posture snapshot, not an operation verb. Target is the **host + software + CVE** tuple: `host.*`, `package.*`, `vulnerability.*`, with scanner context under `observer.*` / `vulnerability.scanner.vendor`. Actor/target audit enhancement does not apply; entity-analytics use case is vulnerability posture on endpoints.
+
+## Example Event Graph
+
+These examples come from the **`event`** (Advanced Hunting) and **`alert`** (Graph Security API) streams. Hunting identity and device tables are audit-adjacent telemetry with mapped `event.action`; alerts use evidence `detectionStatus` as the action verb. The **`vulnerability`** stream is inventory-only — no per-event actor/action/target graph applies.
+
+### Example 1: Active Directory SAMR group query
+
+**Stream:** `m365_defender.event` · **Fixture:** `packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json`
+
+```
+Actor (user, D2WXA1303R$) → samr-query → Target (host, d2win02r.d300b.cenlar.com)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | S-1-5-21-621940831-1238047941-1264475144-86894 |
+| name | D2WXA1303R$ |
+| type | user |
+| sub_type | service_account |
+| ip | 10.180.101.20 |
+
+**Field sources:**
+- `id` ← `m365_defender.event.additional_fields.SourceAccountSid` (vendor-only in fixture; not promoted to ECS `user.id`)
+- `name` ← `user.name` ← `AccountDisplayName`
+- `ip` ← `host.ip` (source sensor IP on identity query events)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | samr-query |
+| source_field | `event.action` |
+| source_value | samr-query |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 370f6773-bfd8-4356-8e83-e65a1a9b3469 |
+| name | d2win02r.d300b.cenlar.com |
+| type | host |
+| ip | 10.180.100.81 |
+
+**Field sources:**
+- `id` ← `m365_defender.event.additional_fields.DestinationComputerObjectGuid`
+- `name` ← `m365_defender.event.destination.device_name` ← `DestinationDeviceName`
+- `ip` ← `destination.ip` ← `DestinationIPAddress`
+- Queried group `Server_Admin` is in `m365_defender.event.query.target` (vendor-only; not mapped to `user.target.*`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: D2WXA1303R$"] --> E["samr-query"]
+  E --> T["Target: d2win02r.d300b.cenlar.com"]
+```
+
+### Example 2: Endpoint DPAPI access
+
+**Stream:** `m365_defender.event` · **Fixture:** `packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json`
+
+```
+Actor (user, administrator1) → dpapiaccessed → Target (host, testmachine5)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | S-1-5-21-375308137-164487297-2828222098-111 |
+| name | administrator1 |
+| type | user |
+
+**Field sources:**
+- `id` ← `m365_defender.event.initiating_process.account_sid` (vendor-only; ECS `user.*` not populated on this fixture row)
+- `name` ← `m365_defender.event.initiating_process.account_name` ← `InitiatingProcessAccountName`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | dpapiaccessed |
+| source_field | `event.action` |
+| source_value | dpapiaccessed |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | de6509d550e605faf3bbeac0905ab9590fe12345 |
+| name | testmachine5 |
+| type | host |
+
+**Field sources:**
+- `id` ← `host.id` ← `DeviceId`
+- `name` ← `host.name` ← `DeviceName`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: administrator1"] --> E["dpapiaccessed"]
+  E --> T["Target: testmachine5"]
+```
+
+### Example 3: Suspicious PowerShell detection alert
+
+**Stream:** `m365_defender.alert` · **Fixture:** `packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json`
+
+```
+Actor (user, CDPUserIS-38411) → detected → Target (host, clw555test)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | S-1-12-1-1485667349-1150190949-4065799612-2328216759 |
+| name | CDPUserIS-38411 |
+| type | user |
+
+**Field sources:**
+- `id` ← `related.user` / `m365_defender.alert.evidence[].user_account.user_sid` ← evidence `userAccount.userSid`
+- `name` ← `process.user.name` ← `processEvidence.userAccount.accountName`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | detected |
+| source_field | `event.action` |
+| source_value | detected |
+
+Note: `event.action` reflects evidence `detectionStatus` (detection outcome), not the alert title (`Suspicious PowerShell command line`).
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 505d70d89cfa3428f7aac7d2eb3a64c60fd3d843 |
+| name | clw555test |
+| type | host |
+| ip | 192.168.5.65 |
+
+**Field sources:**
+- `id` ← `host.id` ← evidence `deviceEvidence.mdeDeviceId`
+- `name` ← `host.hostname` ← evidence `deviceEvidence.deviceDnsName`
+- `ip` ← `host.ip[0]` ← evidence `deviceEvidence.ipInterfaces`
+- Suspicious process `powershell.exe` (pid 8224) is flattened to ECS `process.*` from `processEvidence`; same field family as initiating process on hunting events
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: CDPUserIS-38411"] --> E["detected"]
+  E --> T["Target: clw555test"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (Elastic Agent / httpjson / Event Hub). Route primarily by **`data_stream.dataset`** (`m365_defender.event`, `m365_defender.alert`, `m365_defender.incident`, `m365_defender.vulnerability` per `manifest.yml`). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) are query-time helpers; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, fallback, null)` — not `CASE(target_exists, <col>, …)` / `CASE(action_exists, event.action, …)` — so one populated sibling (e.g. `service.target.name` from `application.name`) does not block `host.target.*` / `user.target.*` fallbacks on empty columns (Pass 4 §10). Fallback branches promote vendor/de-facto fields to `user.target.*`, `host.target.*`, and `service.target.*` where ECS target tiers are empty today. **`m365_defender.vulnerability`** is excluded (inventory sync). Secondary routing uses **`event.action`** to separate identity-query targets (`samr-query`, `dns-query`) from onboarded-device targets (`dpapiaccessed`, alert evidence).
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `m365_defender.event` | Device / endpoint telemetry | user, general (process) | host, general (file/process) | partial |
+| `m365_defender.event` | Identity / cloud audit | user | host, user, service | partial |
+| `m365_defender.event` | Email / message | user | user, general (url/file) | partial |
+| `m365_defender.alert` | Graph Security alert | user | host, general (process/file) | partial |
+| `m365_defender.incident` | Correlated incident | user | host, service | partial |
+| `m365_defender.vulnerability` | Vuln inventory sync | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` | `user.id IS NOT NULL` | high | **preserve existing** — column-level; do not gate on `actor_exists` (alerts can have `process.user.name` while `user.id` is empty) |
+| `user.id` | `m365_defender.event.additional_fields.SourceAccountSid` | `data_stream.dataset == "m365_defender.event" AND user.id IS NULL` | high | **vendor fallback** (SAMR fixture) |
+| `user.id` | `m365_defender.event.initiating_process.account_sid` | `data_stream.dataset == "m365_defender.event" AND user.id IS NULL` | high | **vendor fallback** (device telemetry) |
+| `user.name` | `user.name` | `user.name IS NOT NULL` | high | **preserve existing** — column-level |
+| `user.name` | `m365_defender.event.initiating_process.account_name` | `data_stream.dataset == "m365_defender.event" AND user.name IS NULL` | high | **vendor fallback** (`test-device.log-expected.json`) |
+| `user.name` | `process.user.name` | `data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND user.name IS NULL` | high | **vendor fallback** — evidence process owner (`test-alert.log-expected.json`) |
+| `user.email` | — | — | high | **ingest-only — no ES\|QL** — pipelines set `user.email` / `AccountUpn`; no alternate query-time path |
+| `user.domain` | — | — | high | **ingest-only — no ES\|QL** — pipelines set `user.domain`; no alternate query-time path |
+| `host.ip` | `host.ip` | `host.ip IS NOT NULL` | high | **preserve existing** — column-level |
+| `host.ip` | `source.ip` | `data_stream.dataset == "m365_defender.event" AND user.name IS NULL AND source.ip IS NOT NULL` | medium | **vendor fallback** — weak actor context when principal absent (cloud audit) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.id` | `host.target.id` | `host.target.id IS NOT NULL` | high | **preserve existing** (none today) |
+| `host.target.id` | `m365_defender.event.additional_fields.DestinationComputerObjectGuid` | `data_stream.dataset == "m365_defender.event" AND event.action IN ("samr-query", "dns-query")` | high | **vendor fallback** — SAMR fixture GUID |
+| `host.target.id` | `host.id` | `data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL` | high | **de-facto** evidence device (`test-alert.log-expected.json`) |
+| `host.target.id` | `host.id` | `data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.id IS NOT NULL` | high | **de-facto** onboarded sensor host (e.g. `dpapiaccessed`) |
+| `host.target.name` | `host.target.name` | `host.target.name IS NOT NULL` | high | **preserve existing** |
+| `host.target.name` | `m365_defender.event.destination.device_name` | `data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL` | high | **de-facto** identity query target |
+| `host.target.name` | `host.name` | `data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.name IS NOT NULL` | high | **de-facto** evidence hostname |
+| `host.target.name` | `host.name` | `data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.name IS NOT NULL` | high | **de-facto** device telemetry target host |
+| `host.target.ip` | `host.target.ip` | `host.target.ip IS NOT NULL` | high | **preserve existing** |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "m365_defender.event" AND destination.ip IS NOT NULL` | high | **de-facto** remote peer (`test-app-and-identity.log-expected.json`) |
+| `user.target.name` | `user.target.name` | `user.target.name IS NOT NULL` | high | **preserve existing** |
+| `user.target.name` | `m365_defender.event.query.target` | `data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL` | high | **vendor fallback** — SAMR queried group (`Server_Admin`) |
+| `user.target.email` | `user.target.email` | `user.target.email IS NOT NULL` | high | **preserve existing** |
+| `user.target.email` | `email.to.address` | `data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL` | high | **de-facto** mail recipient |
+| `service.target.name` | `service.target.name` | `service.target.name IS NOT NULL` | high | **preserve existing** |
+| `service.target.name` | `application.name` | `data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL` | high | **vendor fallback** — Layer 1 workload (`Active Directory`, `Office 365`) |
+| `service.target.name` | `m365_defender.alert.service_source` | `data_stream.dataset == "m365_defender.alert" AND m365_defender.alert.service_source IS NOT NULL` | high | **vendor fallback** — Defender workload source |
+| `service.target.name` | `m365_defender.incident.alert.service_source` | `data_stream.dataset == "m365_defender.incident" AND m365_defender.incident.alert.service_source IS NOT NULL` | high | **vendor fallback** — nested alert workload |
+| `entity.target.id` | `entity.target.id` | `entity.target.id IS NOT NULL` | high | **preserve existing** |
+| `entity.target.id` | `file.hash.sha256` | `data_stream.dataset IN ("m365_defender.event", "m365_defender.alert") AND file.hash.sha256 IS NOT NULL` | high | **vendor fallback** — file artifact target |
+| `entity.target.type` | literal `"service"` / `"host"` / `"user"` | fallback branch by `event.action` / populated fields | medium | classification helper in fallback only |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `event.action IS NOT NULL` | high | **preserve existing** (arrays on alert/incident) |
+| `event.action` | `m365_defender.event.action.type` | `data_stream.dataset == "m365_defender.event" AND event.action IS NULL AND m365_defender.event.action.type IS NOT NULL` | medium | **vendor fallback** — BehaviorInfo/AlertInfo hunting gap; raw vendor verb |
+
+### Detection flags (mandatory — run first)
+
+Predicate tuned for Defender: actors include **`process.name`** / **`process.user.name`** (endpoint and alert evidence); targets check **`user.target.*`**, **`host.target.*`**, **`service.target.*`**, **`entity.target.*`** only (no `target.*` prefix). **`user.id` / `user.name` / `host.ip` actor EVAL** and **target / action / `entity.target.type` EVAL** use **column-level** `IS NOT NULL` preserve — not `actor_exists` / `target_exists` / `action_exists` as the first `CASE` pair — so vendor SID/name paths and empty sibling target columns still receive fallbacks when another target tier is populated (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL OR user.domain IS NOT NULL
+    OR process.name IS NOT NULL OR process.user.name IS NOT NULL OR process.user.id IS NOT NULL
+    OR host.id IS NOT NULL OR host.name IS NOT NULL OR host.ip IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers (when needed)
+
+Set **`entity.target.type`** only in the fallback branch (correct ECS name — not `target.entity.type`):
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL, "service",
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL, "user",
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL, "host",
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL, "host",
+    data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL, "user",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.additional_fields.SourceAccountSid IS NOT NULL, m365_defender.event.additional_fields.SourceAccountSid,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_sid IS NOT NULL, m365_defender.event.initiating_process.account_sid,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_name IS NOT NULL, m365_defender.event.initiating_process.account_name,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND process.user.name IS NOT NULL, process.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "m365_defender.event" AND user.name IS NULL AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+`user.email` and `user.domain` are **not** listed — ingest populates them on identity/email/cloud-app rows; `CASE(actor_exists, user.email, null)` would be a no-op. `user.id` / `user.name` omit `actor_exists` so alert `process.user.name` does not block vendor SID promotion.
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.action.type IS NOT NULL, m365_defender.event.action.type,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "m365_defender.event" AND event.action IN ("samr-query", "dns-query") AND m365_defender.event.additional_fields.DestinationComputerObjectGuid IS NOT NULL, m365_defender.event.additional_fields.DestinationComputerObjectGuid,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL, host.id,
+    data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.id IS NOT NULL, host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL, m365_defender.event.destination.device_name,
+    data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.name IS NOT NULL, host.name,
+    data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "m365_defender.event" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL, m365_defender.event.query.target,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL, email.to.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL, application.name,
+    data_stream.dataset == "m365_defender.alert" AND m365_defender.alert.service_source IS NOT NULL, m365_defender.alert.service_source,
+    data_stream.dataset == "m365_defender.incident" AND m365_defender.incident.alert.service_source IS NOT NULL, m365_defender.incident.alert.service_source,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("m365_defender.event", "m365_defender.alert") AND file.hash.sha256 IS NOT NULL, file.hash.sha256,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL OR user.domain IS NOT NULL
+    OR process.name IS NOT NULL OR process.user.name IS NOT NULL OR process.user.id IS NOT NULL
+    OR host.id IS NOT NULL OR host.name IS NOT NULL OR host.ip IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "m365_defender.event" AND m365_defender.event.additional_fields.SourceAccountSid IS NOT NULL, m365_defender.event.additional_fields.SourceAccountSid, data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_sid IS NOT NULL, m365_defender.event.initiating_process.account_sid, null),
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "m365_defender.event" AND m365_defender.event.initiating_process.account_name IS NOT NULL, m365_defender.event.initiating_process.account_name, data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND process.user.name IS NOT NULL, process.user.name, null),
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "m365_defender.event" AND user.name IS NULL AND source.ip IS NOT NULL, source.ip, null)
+| EVAL
+  event.action = CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "m365_defender.event" AND m365_defender.event.action.type IS NOT NULL, m365_defender.event.action.type, null)
+| EVAL
+  host.target.id = CASE(host.target.id IS NOT NULL, host.target.id, data_stream.dataset == "m365_defender.event" AND event.action IN ("samr-query", "dns-query") AND m365_defender.event.additional_fields.DestinationComputerObjectGuid IS NOT NULL, m365_defender.event.additional_fields.DestinationComputerObjectGuid, data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.id IS NOT NULL, host.id, data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.id IS NOT NULL, host.id, null),
+  host.target.name = CASE(host.target.name IS NOT NULL, host.target.name, data_stream.dataset == "m365_defender.event" AND m365_defender.event.destination.device_name IS NOT NULL, m365_defender.event.destination.device_name, data_stream.dataset IN ("m365_defender.alert", "m365_defender.incident") AND host.name IS NOT NULL, host.name, data_stream.dataset == "m365_defender.event" AND event.action NOT IN ("samr-query", "dns-query", "logonsuccess", "logonfailed") AND host.name IS NOT NULL, host.name, null),
+  host.target.ip = CASE(host.target.ip IS NOT NULL, host.target.ip, data_stream.dataset == "m365_defender.event" AND destination.ip IS NOT NULL, destination.ip, null),
+  user.target.name = CASE(user.target.name IS NOT NULL, user.target.name, data_stream.dataset == "m365_defender.event" AND m365_defender.event.query.target IS NOT NULL, m365_defender.event.query.target, null),
+  user.target.email = CASE(user.target.email IS NOT NULL, user.target.email, data_stream.dataset == "m365_defender.event" AND email.to.address IS NOT NULL, email.to.address, null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "m365_defender.event" AND application.name IS NOT NULL, application.name, data_stream.dataset == "m365_defender.alert" AND m365_defender.alert.service_source IS NOT NULL, m365_defender.alert.service_source, data_stream.dataset == "m365_defender.incident" AND m365_defender.incident.alert.service_source IS NOT NULL, m365_defender.incident.alert.service_source, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset IN ("m365_defender.event", "m365_defender.alert") AND file.hash.sha256 IS NOT NULL, file.hash.sha256, null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, host.ip, host.target.id, host.target.name, host.target.ip, user.target.name, user.target.email, service.target.name, entity.target.id
+```
+
+### Streams excluded
+
+- **`m365_defender.vulnerability`** — software vulnerability inventory sync (`event.category: vulnerability`); no per-event actor/target audit semantics. Host/package/CVE describe posture state, not an auditable action pair.
+- **`m365_defender.event`** inventory hunting tables (`DeviceInfo`, `IdentityInfo`, `event.kind: asset`) — entity snapshots without a coherent action pair; skip dedicated target EVAL unless Pass 3 fields are populated.
+
+### Gaps and limitations
+
+- **Pass 4 tautology cleanup (§10)** — target / action / `entity.target.type` use per-column `IS NOT NULL` preserve (not `CASE(target_exists, host.target.name, …)` when `service.target.name` alone is set); actor `user.id` / `user.name` / `host.ip` already column-level; no `CASE(col, col, …)` identity branches.
+- **`user.email` / `user.domain` ES|QL** — **ingest-only**; do not emit `CASE(actor_exists, user.email, null)` (3-arg no-op) or 4-arg `CASE(actor_exists, user.email, <field>, null)` (bare field parsed as condition).
+- **`user.id` / `user.name` gating** — use column-level `IS NOT NULL` preserve, not `actor_exists`, when vendor SID/name paths must apply alongside `process.user.name` on alerts.
+- **No indexed `*.target.*` today** — all target-tier columns are query-time fallbacks until ingest enhancement (`strong_candidate` in target-fields audit).
+- **`user.*` conflation on alerts/incidents** — evidence users, logged-on users, and email senders merge into flat `user.*` without `roles` guard; ES|QL cannot disambiguate without vendor `m365_defender.alert.evidence[].roles`.
+- **`source.user.*` from `assignedTo`** — SOC analyst assignee; intentionally omitted from actor EVAL to avoid threat-actor confusion.
+- **`Target.process.*`** — non-standard ECS prefix for remote API call targets; not mapped (requires ingest normalization).
+- **`m365_defender.event.target.account_upn`** — pipeline-supported but empty in most fixtures; omitted until populated.
+- **BehaviorInfo / AlertInfo hunting rows** — `event.action` fallback copies raw `m365_defender.event.action.type` (not normalized like device pipeline).
+- **Multi-valued `host.*` on alerts/incidents** — arrays from evidence flattening; consumers may need `MV_FIRST()` when scalar host targets are required.
+- **Identity logon (`logonsuccess`/`logonfailed`)** — `host.*` is source sensor; prefer `service.target.name` ← `application.name`, not `host.target.*` from `host.id`.
+- **Cloud audit rows** — may lack user principal; only `source.ip` available as weak actor context.
+- **`event.action` on alert/incident** — array of `detectionStatus` values (`detected`, `prevented`); semantically detection outcome, not hunting `ActionType` or alert title.
diff --git a/dev/domain/p1/microsoft_dhcp.md b/dev/domain/p1/microsoft_dhcp.md
new file mode 100644
index 00000000000..3f088d4ea2d
--- /dev/null
+++ b/dev/domain/p1/microsoft_dhcp.md
@@ -0,0 +1,504 @@
+# microsoft_dhcp
+
+## Product Domain (Windows Server DHCP)
+
+Windows Server DHCP is the Dynamic Host Configuration Protocol service built into Microsoft Windows Server. It automatically assigns IPv4 and IPv6 addresses, subnet masks, default gateways, DNS servers, and other network parameters to clients on a local network. DHCP is a foundational infrastructure service: every new device, workstation, or guest endpoint that joins the network typically depends on it for address assignment and name resolution integration.
+
+The service operates through scopes (address pools), leases (time-bound address grants), reservations, and options configured on one or more DHCP servers. Windows Server DHCP supports high availability via failover clustering, split scopes, and DHCP failover partnerships. It integrates with Active Directory for authorization (rogue-server detection), DNS dynamic updates for client hostname registration, Network Access Protection (NAP) policy enforcement, and relay-agent scenarios where requests traverse intermediate hops.
+
+From a security and operations perspective, DHCP activity reveals who joined the network, which addresses were assigned or denied, when leases expired or were released, DNS update success or failure, scope exhaustion, unauthorized server detection, and policy-driven packet drops. Security teams monitor DHCP logs to detect rogue DHCP servers, suspicious lease patterns, address-pool exhaustion, DNS registration abuse, and network access policy violations. Network and infrastructure teams use the same signals for troubleshooting connectivity, capacity planning, and audit trails of IP assignment.
+
+The Elastic **Microsoft DHCP** integration ingests the comma-delimited audit logs written by the Windows DHCP Server role on Windows Server 2008 and later. Elastic Agent reads log files from the DHCP service directory (by default `DhcpSrvLog-*.log` for IPv4 and `DhcpV6SrvLog-*.log` for IPv6), parses events into ECS-aligned fields, and maps Microsoft event IDs to structured `event.action`, `event.category`, `event.type`, and `event.outcome` values. The integration is categorized under security and network, reflecting its value for both threat detection and network visibility.
+
+## Data Collected (brief)
+
+Logs only (no metrics). One data stream:
+
+| Data stream | Description |
+|---|---|
+| **log** | Microsoft DHCP Server audit logs from `DhcpSrvLog-*.log` (IPv4) and `DhcpV6SrvLog-*.log` (IPv6), collected via Elastic Agent logfile input |
+
+Parsed events include lease lifecycle (new, renew, release, deny, expire, delete), BOOTP assignments, DNS dynamic update requests and failures, NAP policy drops, rogue/unauthorized server detection, failover standby drops, IP cleanup operations, and log service start/stop/pause. Key ECS fields: `event.code`, `event.action`, `event.outcome`, `source.ip`, `source.mac`, `source.domain`, `user.name`, and `observer.*` (DHCP server identity). Vendor-specific fields under `microsoft.dhcp.*` capture transaction IDs, NAP correlation IDs, relay-agent info, DHCID, vendor/user class options, DNS error codes, DUID (v6), and subnet prefix length.
+
+## Expected Audit Log Entities
+
+The integration has one **`log`** data stream of true Windows Server DHCP audit logs (not metrics or inventory sync). IPv4 (`DhcpSrvLog-*.log`) and IPv6 (`DhcpV6SrvLog-*.log`) share ECS fields but route to separate sub-pipelines via `log.file.path` (`default.yml` → `dhcp.yml` / `dhcpv6.yml`). Client-initiated transactions map the DHCP **client** into ECS **`source.*`**; the collecting Windows Server appears as **`observer.*`** / **`host.*`** (Elastic Agent metadata in `sample_event.json`). **No ECS `*.target.*` fields are populated** and the package is **not listed in `destination_identity_hits.csv`** — there is no `destination.user.*` or `destination.host.*` de-facto target pattern. Target-fields audit classified this package as **`none`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is populated for most Microsoft DHCP event IDs** via painless lookup tables in `dhcp.yml` and `dhcpv6.yml` that map `event.code` (CSV column 1) to normalized action labels. Fixtures confirm populated actions (`dhcp-new`, `dhcp-dns-update`, `dhcpv6-solicit`, `rogue-server-detection`, etc.) in `sample_event.json`, `test-log.log-expected.json`, and `test-logv6.log-expected.json`. **Gaps:** eight IPv4 codes (`13`, `14`, `20`–`23`, `33`, `36`) and DHCPv6 code **`1103`** (AD authorization) have categorization params but **no `action` key** — those events leave `event.action` empty despite a descriptive `message` column.
+
+### Event action (semantic)
+
+Windows DHCP audit logs record lease lifecycle, DNS dynamic updates, NAP/failover drops, rogue-server authorization, log service control, and database cleanup. The pipeline normalizes Microsoft numeric event IDs into ECS `event.action` strings.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `dhcp-new` | configuration_change | high | Code `10`; fixtures `test-log.log-expected.json` (`192.168.2.10`, `192.168.10.40`) | **`log`** (IPv4) — new lease assigned |
+| `dhcp-renew` | configuration_change | high | Code `11`; `dhcp.yml:79-85` | **`log`** (IPv4) — lease renewed |
+| `dhcp-release` | configuration_change | high | Code `12`; `dhcp.yml:87-93` | **`log`** (IPv4) — client released lease |
+| `dhcp-deny` | configuration_change | high | Code `15`; `dhcp.yml:109-116` | **`log`** (IPv4) — lease denied |
+| `dhcp-delete` | configuration_change | high | Code `16`; `dhcp.yml:118-124` | **`log`** (IPv4) — lease deleted from database |
+| `dhcp-expire` | configuration_change | high | Codes `17`/`18`; fixture code `17` (`67.43.156.15`) | **`log`** (IPv4) — lease expired (with/without DNS record cleanup) |
+| `dhcp-dns-update` | configuration_change | high | Codes `30`–`35`, `32`; fixtures codes `30`/`31`/`35`; `sample_event.json` code `35` | **`log`** (IPv4) — DNS dynamic update request/success/failure |
+| `rogue-server-detection` | administration | high | Codes `50`–`64`; fixtures codes `55`, `60`, `63` | **`log`** (IPv4) — AD authorization / unauthorized DHCP server detection |
+| `ip-cleanup-start` / `ip-cleanup-end` | administration | high | Codes `24`/`25`; fixture code `24` | **`log`** (IPv4) — IP address cleanup batch operations |
+| `log-start` / `log-end` / `log-pause` | administration | high | Codes `00`–`02`; fixtures codes `00`/`01` | **`log`** (IPv4) — DHCP audit log service lifecycle |
+| *(missing)* IP in use / scope exhausted / BOOTP / NAP drop / failover drop | configuration_change / detection | moderate | Codes `13`, `14`, `20`–`23`, `33`, `36`; fixture code `36` has `message` but **no `event.action`** | **`log`** (IPv4) — pipeline params omit `action` key; `message` CSV column holds vendor text |
+| `dhcpv6-solicit` / `dhcpv6-request` | configuration_change | high | Codes `11000`/`11002`; fixtures in `test-logv6.log-expected.json` | **`log`** (IPv6) — DHCPv6 client protocol messages |
+| `dhcpv6-advertise` / `dhcpv6-confirm` / `dhcpv6-renew` / `dhcpv6-rebind` / `dhcpv6-decline` / `dhcpv6-release` / `dhcpv6-info-request` | configuration_change | high | Codes `11001`–`11008`; `dhcpv6.yml:47-101` | **`log`** (IPv6) — full DHCPv6 message-type coverage in pipeline |
+| `ipv6-dns-update-request` / `ipv6-dns-update-failed` / `ipv6-dns-update-successful` / `ipv6-dns-update-request-failed` | configuration_change | high | Codes `11022`–`11024`, `11028`–`11029`; `dhcpv6.yml:181-218` | **`log`** (IPv6) — IPv6 DNS dynamic update lifecycle |
+| `dhcpv6-scope-full` / `dhcpv6-bad-address` / `dhcpv6-address-in-use` / `dhcpv6-client-deleted` / `dhcpv6-expired` / `dhcpv6-lease-expired-deleted` | configuration_change | high | Codes `11009`, `11014`–`11019`; `dhcpv6.yml:102-167` | **`log`** (IPv6) — scope exhaustion, bad address, lease expiry |
+| `dhcpv6-cleanup-start` / `dhcpv6-cleanup-end` | administration | high | Codes `11020`/`11021`; `dhcpv6.yml:169-180` | **`log`** (IPv6) — IPv6 lease database cleanup |
+| `dhcpv6-stateless-clients-pruged` / `dhcpv6-stateless-clients-expired` | administration | high | Codes `11030`/`11031`; fixture code `11030` | **`log`** (IPv6) — stateless client record purge (note pipeline typo `pruged`) |
+| `log-start` / `log-stop` / `log-pause` / `log-file` | administration | high | Codes `11010`–`11013`; fixtures `11010`/`11011` | **`log`** (IPv6) — DHCPv6 log service lifecycle |
+| *(missing)* `Authorized(servicing)` | administration | high | Code **`1103`**; fixtures `test-logv6.log-expected.json` — `message: Authorized(servicing)`, **`event.action` absent** | **`log`** (IPv6) — AD authorization for DHCPv6 server; not in `dhcpv6.yml` params |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | yes (most codes) | yes | `dhcp-dns-update` (code `35`, `sample_event.json`); `dhcp-new` (code `10`); `dhcpv6-solicit`/`dhcpv6-request` (codes `11000`/`11002`); `rogue-server-detection` (code `55`) | no | ← painless script `dhcp.yml:43-371`, `dhcpv6.yml:35-242` copies `action` from params keyed by `event.code` |
+| `event.code` | n/a (source key) | yes | `10`, `35`, `11000`, `1103` | no | ← CSV column 1 (`dhcp.yml:8`, `dhcpv6.yml:7`); primary lookup key for action derivation |
+| `message` | no | n/a | `Packet dropped because of Client ID hash mismatch or standby server.` (code `36`); `Authorized(servicing)` (code `1103`) | **yes** (fallback only) | ← CSV column 4; human-readable vendor description when `action` param missing — not copied to `event.action` today |
+| *(proposed)* code `13` action | no | n/a | `dhcp-address-in-use` | **yes** | `dhcp.yml:94-100` — params have `reason`/`type` only |
+| *(proposed)* code `14` action | no | n/a | `dhcp-scope-exhausted` | **yes** | `dhcp.yml:100-107` |
+| *(proposed)* code `20`/`21` action | no | n/a | `dhcp-bootp-new` / `dhcp-bootp-dynamic-new` | **yes** | `dhcp.yml:138-151` |
+| *(proposed)* code `22`/`23` action | no | n/a | `dhcp-bootp-deny` / `dhcp-bootp-delete` | **yes** | `dhcp.yml:152-167` |
+| *(proposed)* code `33` action | no | n/a | `dhcp-nap-drop` | **yes** | `dhcp.yml:204-210` — NAP policy packet drop |
+| *(proposed)* code `36` action | no | n/a | `dhcp-failover-drop` | **yes** | `dhcp.yml:228-235`; fixture code `36` confirms empty `event.action` |
+| *(proposed)* code `1103` action | no | n/a | `dhcpv6-authorized` or `rogue-server-detection` | **yes** | Not in `dhcpv6.yml` params; fixtures show code `1103` with `source.domain: test.local` on authorization row |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| DHCP client (IPv4) | host | — | high | `source.ip`, `source.mac`, `source.address`, `source.domain` ← CSV columns (`dhcp.yml`); fixtures: `dhcp-new` code `10` (`192.168.2.10`, MAC `00-00-00-00-00-00`), `dhcp-dns-update` code `30`/`35` (`172.28.43.169` / `057182593757.test.com`), failover drop code `36` (`172.28.52.0`, MAC `76-69-1E-D4-5C-90`) | **`log`** (IPv4) — lease lifecycle (`10`–`18`, `20`–`23`), DNS updates (`30`–`35`), NAP/failover drops (`33`, `36`); client initiating or affected by the transaction |
+| DHCP client (IPv6) | host | — | high | `source.ip` (IPv6), `source.address`, `source.domain`, `microsoft.dhcp.duid.hex` / `duid.length` (`dhcpv6.yml`); fixtures: `dhcpv6-solicit` / `dhcpv6-request` codes `11000`/`11002` with `2a02:cf40:…:6fc6`, DUID `0004A34473BFC27FC55B25E86AF0E1761DAA` | **`log`** (IPv6) — DUID is the stable client identifier when MAC is absent |
+| User-class option (IPv4) | user | — | low | `user.name` ← CSV column (`dhcp.yml`, `ecs.yml`); optional `microsoft.dhcp.user.string` / `user.hex` | **`log`** (IPv4) — DHCP user-class option, not an interactive security principal; **no populated `user.name` in package fixtures** |
+| Vendor-class fingerprint | general | device-class | moderate | `microsoft.dhcp.vendor.string`, `vendor.hex` (`fields.yml`, `dhcp.yml`); fixtures: `MSFT 5.0` (code `10`), `COM. COM OfficeTele … Switch` (code `10` with long client-id MAC) | **`log`** (IPv4 assign/renew) — client hardware/software class hint; supplements identity when hostname is empty |
+| DHCP relay agent | general | network-relay | moderate | `microsoft.dhcp.relay_agent_info` (`dhcp.yml`); fixture: `0x0106766C323E3580` on code `10` assign (`192.168.10.40`) | **`log`** (IPv4 relay scenarios) — intermediate hop that forwarded the client request |
+| DHCP server (observer) | host | — | high | `observer.hostname`, `observer.ip`, `observer.mac`, `host.name`, `host.ip`, `host.mac` (`default.yml`, `sample_event.json`, `ecs.yml`) | **`log`** — Windows Server running the DHCP role; sole actor on **log service** (`00`–`02`, `11010`–`11011`), **IP cleanup** (`24`–`25`, `11020`–`11021`, `11030`), and **rogue detection retries** with empty client columns (code `63`) |
+| Active Directory domain (auth context) | general | ad-domain | moderate | `source.address`, `source.domain` on rogue/authorization rows (`dhcp.yml`, `dhcpv6.yml`); fixtures: `domain.local` (code `55`), `DOMAIN.LOCAL` → lowercase `domain.local` (code `60`), `test.local` (DHCPv6 code `1103`) | **`log`** — rogue-server detection (`50`–`64`, DHCPv6 `1103`); AD domain against which server authorization is evaluated, not a DHCP client |
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.ip` | DHCP client endpoint / leased address | yes | partial | high | ← CSV IP column (`dhcp.yml`, `dhcpv6.yml`); populated in lease, DNS, and drop fixtures; semantically the client initiator but **same field holds the leased IP target** on assign events |
+| `source.mac` | IPv4 client hardware ID | yes | yes | high | ← CSV MAC column, uppercased and hyphenated (`dhcp.yml:399-410`); `00-00-00-00-00-00`, `76-69-1E-D4-5C-90`, long client-id MAC on code `10` fixture |
+| `source.address`, `source.domain` | Client hostname or AD domain name | yes | partial | high | ← CSV hostname column, lowercased; copied to `source.domain` (`dhcp.yml:28-34`); `host.test.com` on assign, `domain.local` on rogue auth — hostname is client identity; domain name on rogue events is AD auth context, not client hostname |
+| `user.name` | DHCP user-class option string | yes (pipeline) | partial | low | ← CSV user column (`dhcp.yml:15`); declared in `ecs.yml`; **no fixture populates field** — not an interactive account per ECS User field set |
+| `microsoft.dhcp.duid.hex`, `microsoft.dhcp.duid.length` | IPv6 client DUID | yes (vendor) | n/a | high | ← CSV columns (`dhcpv6.yml`); solicit/request fixtures |
+| `microsoft.dhcp.vendor.string`, `microsoft.dhcp.vendor.hex` | Client vendor-class option | yes (vendor) | n/a | moderate | ← CSV columns (`dhcp.yml`); `MSFT 5.0`, HP switch string in code `10` fixtures |
+| `microsoft.dhcp.user.string`, `microsoft.dhcp.user.hex` | Client user-class option (vendor copy) | yes (vendor) | n/a | low | ← CSV columns (`dhcp.yml`); schema present, no fixture coverage |
+| `microsoft.dhcp.relay_agent_info` | Relay-agent option 82 | yes (vendor) | n/a | moderate | ← CSV column (`dhcp.yml`); `0x0106766C323E3580` on relay assign fixture |
+| `microsoft.dhcp.transaction_id` | DHCP transaction correlation | yes (vendor) | n/a | high | ← CSV column; `17739`, `3096562285`, `3327778676` in assign fixtures — transaction artifact, not an actor identity |
+| `observer.hostname`, `observer.ip`, `observer.mac` | Logging DHCP server | yes | yes | high | Elastic Agent metadata in `sample_event.json`; observer identity for the Windows Server host, not the DHCP client actor on client events |
+| `host.name`, `host.ip`, `host.mac`, `host.hostname`, `host.domain` | Collecting agent host enrichment | yes | yes | high | Copied from `observer.*` / `agent.*` in `default.yml:25-66`; server-side context, not client actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / service | Windows Server DHCP role providing address assignment | Microsoft DHCP Server | service | — | moderate | `observer.*` / `host.*` identify the server; `event.action`/`event.code` categorize service operations; no `cloud.service.name` or `service.name` set | **`log`** — on-premises infrastructure service; Layer 1 inferred from observer + event type, not a dedicated ECS service target field |
+| 2 — Resource / object | Leased IPv4/IPv6 address | IP lease | host | — | high | `source.ip` on assign/renew/release/deny/expire/BOOTP/DHCPv6 events; fixtures: `192.168.2.10`, `192.168.10.40`, `67.43.156.15` (expire code `17`), IPv6 `2a02:cf40:…:6fc6` | **`log`** — address granted, renewed, released, denied, or expired; **colocated with client identity in `source.*`** |
+| 2 — Resource / object | DNS hostname / dynamic registration | FQDN | general | dns-name | high | `source.address`, `source.domain` on DNS update and assign rows; `event.action: dhcp-dns-update` / `ipv6-dns-update-*` (codes `30`–`35`, `11022`–`11029`); fixtures: `host.test.com`, `057182593757.test.com`, `hostname.test.com` | **`log`** — FQDN being registered, updated, or failing update |
+| 2 — Resource / object | DHCP scope / lease database | Address pool / DB | general | dhcp-scope | low | Implicit on scope-exhaustion (`14`, `22`, `11009`), lease delete/expire (`16`–`18`, `11016`–`11019`), database cleanup (`24`–`25`, `11020`–`11021`), stateless purge (`11030`); no dedicated ECS target field | **`log`** — capacity/housekeeping events; infer from `event.code` and `message` only |
+| 2 — Resource / object | AD DHCP authorization state | AD domain authorization | general | ad-domain | moderate | `source.domain` on rogue-server events (codes `55`, `60`; DHCPv6 `1103` with `test.local`); `event.action: rogue-server-detection` | **`log`** — directory authorization being checked or changed |
+| 2 — Resource / object | NAP / quarantine policy outcome | NAP policy result | general | nap-policy | low | `microsoft.dhcp.result`, `result_description`, `correlation_id`, `probation_time`; fixtures: `NoQuarantine` / `No Quarantine Information` (`result: 0`/`6`) on most rows | **`log`** — policy enforcement (`33`, quarantine-related result codes) |
+| 2 — Resource / object | Unauthorized / peer DHCP server | Competing DHCP server | host | — | low | Described in `event.reason` for codes `57`, `61`, `62` (`dhcp.yml`); **not mapped** to ECS or `microsoft.dhcp.*` | **`log`** — rogue-server detection; vendor message only |
+| 3 — Content / artifact | DHCID DNS record | DHCID record | general | dhcp-dns-record | moderate | `microsoft.dhcp.dhc_id` (`fields.yml`, CSV column in both pipelines) | **`log`** — DHCID tying client to DNS record; schema present, sparse fixture coverage |
+| 3 — Content / artifact | DNS update outcome / error | DNS error code | general | dns-error | high | `microsoft.dhcp.dns_error_code` (`dhcp.yml`); fixtures: `0` (success), `10054` (failed update code `31`) | **`log`** — server-side DNS outcome for dynamic update events |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `source.ip` | 2 | host | yes | partial | `host.target.ip` | **yes** | ← CSV IP column; on assign/renew events this is the **leased address** (target) while also representing the client endpoint (actor) — actor/target conflation in one field |
+| `source.address`, `source.domain` | 2/3 | general | yes | partial | `host.target.name` | **yes** | ← CSV hostname column; DNS FQDN target on update/assign events (`host.test.com`, `057182593757.test.com`); on rogue events holds AD domain name (`domain.local`) — context/target varies by event type |
+| `source.mac` | 2 | host | yes | partial | `host.target.mac` | yes | ← CSV MAC; client hardware ID that also identifies the lease holder; same conflation as `source.ip` |
+| `microsoft.dhcp.dhc_id` | 3 | general | yes (vendor) | n/a | `entity.target.id` | yes | ← CSV column (`dhcp.yml`, `dhcpv6.yml`); DHCID DNS record identifier; vendor-only |
+| `microsoft.dhcp.dns_error_code` | 3 | general | yes (vendor) | n/a | context-only | no | ← CSV column; DNS update outcome artifact (`10054` on code `31` fixture) |
+| `microsoft.dhcp.result`, `microsoft.dhcp.result_description` | 2 | general | yes (vendor) | n/a | context-only | no | Derived from CSV result column + painless script (`dhcp.yml:372-390`); NAP/quarantine policy outcome |
+| `microsoft.dhcp.correlation_id`, `microsoft.dhcp.probation_time` | 2 | general | yes (vendor) | n/a | context-only | no | ← CSV columns (`dhcp.yml`); NAP correlation metadata |
+| `microsoft.dhcp.subnet_prefix` | 2 | general | yes (vendor) | n/a | context-only | no | ← CSV column (`dhcpv6.yml`); IPv6 prefix length context |
+| `microsoft.dhcp.error_code` | 3 | general | yes (vendor) | n/a | context-only | no | ← CSV column (`dhcpv6.yml`); DHCPv6 server error code |
+| `event.reason` | 2 | host | yes | partial | context-only | no | Set from event-code script (`dhcp.yml:44-371`); describes unauthorized peer DHCP servers (codes `57`, `61`, `62`) — prose only, no structured target identity |
+| `observer.hostname`, `observer.ip`, `host.name`, `host.ip` | 1 | host | yes | n/a | context-only | no | Elastic Agent metadata (`default.yml`, `sample_event.json`); identifies the **logging DHCP server**, not the acted-upon target on client lease events |
+
+### Gaps and mapping notes
+
+- **No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `destination.*` fields** — target-fields audit classifies enhancement priority as **`none`**; package absent from **`destination_identity_hits.csv`**.
+- **`event.action` gaps (IPv4)** — codes `13`, `14`, `20`–`23`, `33`, `36` have `event.category`/`event.type`/`event.reason` from the painless script but **no `action` key**; fixture code `36` confirms empty `event.action`. Recommended additions: `dhcp-address-in-use`, `dhcp-scope-exhausted`, `dhcp-bootp-new`, `dhcp-bootp-dynamic-new`, `dhcp-bootp-deny`, `dhcp-bootp-delete`, `dhcp-nap-drop`, `dhcp-failover-drop`.
+- **`event.action` gap (IPv6)** — code **`1103`** (`Authorized(servicing)`) is absent from `dhcpv6.yml` params; fixtures show only `message` and `event.code`. Recommend `dhcpv6-authorized` or align with IPv4 `rogue-server-detection` family.
+- **Action derivation is code-driven, not message-driven** — `event.action` ← painless lookup on `event.code` (`dhcp.yml:366-371`, `dhcpv6.yml:237-242`); the CSV `message` column maps to top-level `message`, not `event.action`.
+- **Actor/target conflation in `source.*`** — Microsoft CSV maps client IP, hostname, and MAC into `source.ip`, `source.address`/`source.domain`, and `source.mac`. On lease-assignment events the same `source.ip` is both the **client endpoint (actor)** and the **leased address (target)**. Disambiguate with `event.action`/`event.code` and pair `source.ip` with `source.mac` (v4) or `microsoft.dhcp.duid.*` (v6).
+- **`source.address`/`source.domain` dual semantics** — on client events these hold the client hostname/FQDN (Layer 2/3 DNS target); on rogue-server detection events they hold the **AD domain name** (`domain.local`, `test.local`) as authorization context — not a network client hostname.
+- **`user.name`** maps the DHCP **user-class option**, not an interactive security principal — **Mapping correct?: partial**; no fixture populates the field today.
+- **`observer.*` / `host.*`** represent the Windows Server running the DHCP role (Layer 1 context and actor on server-only events like log start/stop and cleanup), not the DHCP client.
+- **Unauthorized peer DHCP servers** (codes `57`, `61`, `62`) appear only in `event.reason` prose — no ECS or `microsoft.dhcp.*` structured target identity; vendor gap for rogue-server IP/hostname.
+- **`microsoft.dhcp.dhc_id`** is the best vendor candidate for Layer 3 DHCID record target migration to `entity.target.id` — schema and pipeline mapping exist but fixtures do not populate it.
+- For human user attribution beyond DHCP user-class options, rely on complementary integrations (Windows Security / Entra ID, endpoint agents).
+
+### Per-stream notes
+
+- **`log` (IPv4 — `DhcpSrvLog-*.log`)** — Full CSV schema via `dhcp.yml`: MAC, user-class, vendor-class, relay-agent, NAP/quarantine, DNS error codes, rogue-server detection (`50`–`64`). Richest actor/target identity. **`event.action`** covers lease lifecycle (`dhcp-new`, `dhcp-renew`, `dhcp-release`, `dhcp-deny`, `dhcp-delete`, `dhcp-expire`), DNS updates (`dhcp-dns-update`), rogue auth (`rogue-server-detection`), cleanup (`ip-cleanup-*`), and log service (`log-start`/`log-end`/`log-pause`). Eight codes lack action mapping (see gaps).
+- **`log` (IPv6 — `DhcpV6SrvLog-*.log`)** — Slimmer CSV via `dhcpv6.yml`: DUID replaces MAC, `subnet_prefix` and `error_code` instead of NAP/relay columns. DHCPv6 protocol actions (`dhcpv6-solicit` through `dhcpv6-info-request`) and granular IPv6 DNS update actions (`ipv6-dns-update-*`). Rogue authorization code **`1103`** missing from action lookup table.
+
+## Example Event Graph
+
+Examples below come from the single **`log`** data stream (true Windows Server DHCP audit logs). IPv4 events route through `dhcp.yml` (`DhcpSrvLog-*.log`); IPv6 events route through `dhcpv6.yml` (`DhcpV6SrvLog-*.log`).
+
+### Example 1: IPv4 new lease assigned
+
+**Stream:** `microsoft_dhcp.log` · **Fixture:** `packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json`
+
+```
+DHCP client (host.test.com) → dhcp-new → IP lease 192.168.2.10
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `00-00-00-00-00-00` |
+| name | `host.test.com` |
+| type | host |
+
+**Field sources:**
+
+- `id` ← `source.mac`
+- `name` ← `source.address`
+- On assign events, `source.ip` holds the newly leased address — treat as target resource, not actor network identity.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `dhcp-new` |
+| source_field | `event.action` |
+| source_value | `dhcp-new` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `192.168.2.10` |
+| type | general |
+| sub_type | ip_lease |
+| ip | `192.168.2.10` |
+
+**Field sources:**
+
+- `id` / `ip` ← `source.ip` (leased address granted to the client)
+- `sub_type` ← `event.action: dhcp-new`, `event.reason: A new IP address was leased to a client.`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: host.test.com"] --> E["dhcp-new"]
+  E --> T["Target: IP lease 192.168.2.10"]
+```
+
+### Example 2: IPv4 DNS dynamic update failed
+
+**Stream:** `microsoft_dhcp.log` · **Fixture:** `packages/microsoft_dhcp/data_stream/log/sample_event.json`
+
+```
+DHCP client (host.test.com) → dhcp-dns-update → DNS dynamic update service
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `00-00-00-00-00-00` |
+| name | `host.test.com` |
+| type | host |
+| ip | `192.168.2.1` |
+
+**Field sources:**
+
+- `id` ← `source.mac`
+- `name` ← `source.address`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `dhcp-dns-update` |
+| source_field | `event.action` |
+| source_value | `dhcp-dns-update` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | DNS dynamic update service |
+| type | service |
+| sub_type | dns |
+
+**Field sources:**
+
+- **semantic — not indexed in fixture** — inferred from `event.reason: DNS update request failed.` and successful-code-30 reason `DNS update request to the named DNS server.` (`dhcp.yml`); no DNS server hostname or IP in this row
+- Client FQDN `host.test.com` in `source.domain` identifies the actor-side host requesting registration, not the DNS service being contacted
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: host.test.com"] --> E["dhcp-dns-update"]
+  E --> T["Target: DNS dynamic update service"]
+```
+
+### Example 3: IPv6 client solicit
+
+**Stream:** `microsoft_dhcp.log` · **Fixture:** `packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-logv6.log-expected.json`
+
+```
+DHCPv6 client (test-host) → dhcpv6-solicit → Microsoft DHCP service
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `0004A34473BFC27FC55B25E86AF0E1761DAA` |
+| name | `test-host` |
+| type | host |
+
+**Field sources:**
+
+- `id` ← `microsoft.dhcp.duid.hex` (stable IPv6 client identifier; MAC absent in fixture)
+- `name` ← `source.address`
+- `source.ip` (`2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6`) is the client link address in the solicit log row — not the DHCP server target
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `dhcpv6-solicit` |
+| source_field | `event.action` |
+| source_value | `dhcpv6-solicit` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Microsoft DHCP service |
+| type | service |
+| sub_type | dhcp |
+
+**Field sources:**
+
+- **semantic — not indexed in fixture** — solicit events (`event.code: 11000`) describe a client requesting lease service; no server IP or hostname in the log row
+- `log.file.path: DhcpV6SrvLog-Thu.txt` and `message: DHCPV6 Solicit` confirm Windows Server DHCPv6 server context
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: test-host"] --> E["dhcpv6-solicit"]
+  E --> T["Target: Microsoft DHCP service"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (single `log` data stream from `manifest.yml`; Tier A fixtures in `sample_event.json`, `test-log.log-expected.json`, `test-logv6.log-expected.json`). Router: **`data_stream.dataset == "microsoft_dhcp.log"`** with secondary **`event.action`** (and `event.code` when action is absent) to split DHCP **client** (`source.*`, `microsoft.dhcp.duid.*`) from **leased IP / DNS / AD authorization** targets on rows where Microsoft maps both roles into `source.*`. Pass 4 is **fill-gaps-only**: detection flags run first; every `CASE` uses valid **3-arg** (`CASE(boolean, value, default)`), **5-arg** (`CASE(col IS NOT NULL, col, boolean, fallback, null)`), or **7+ arg** multi-branch forms — never **4-arg** `CASE(flag, col, bare_field, null)` where the bare field parses as a **condition**, not a fallback. Target and ingest-absent actor columns use **column-level** `<col> IS NOT NULL` preserve — not `CASE(target_exists, host.target.ip, …)` (another `*.target.*` column can set `target_exists` while `host.target.ip` is still empty). **`host.name` / `host.ip`** use **vendor fallbacks only** (no `host.name IS NOT NULL` / `CASE(actor_exists, host.name, …)` preserve — Agent copies collecting-server identity into `host.*` / `observer.*`, `default.yml` L25–53). **`host.ip` / `host.name` are excluded from `actor_exists`**. No ECS `*.target.*` at ingest today.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `microsoft_dhcp.log` | IPv4 lease lifecycle (`dhcp-new`, `dhcp-renew`, …) | host | host (leased IP) | partial |
+| `microsoft_dhcp.log` | IPv4 DNS dynamic update (`dhcp-dns-update`) | host | service (dns) | partial |
+| `microsoft_dhcp.log` | IPv6 protocol / lease (`dhcpv6-*`, `ipv6-dns-update-*`) | host | host, service (dhcp) | partial |
+| `microsoft_dhcp.log` | Rogue / AD authorization (`rogue-server-detection`, code `1103`) | general (ad-domain) | general (ad-domain) | partial |
+| `microsoft_dhcp.log` | Server-only (log service, cleanup, stateless purge) | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.name` | `source.address` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action != "rogue-server-detection" AND event.code != "1103" AND source.address IS NOT NULL` | high | **vendor fallback** — client hostname/FQDN; fixtures `host.test.com`, `test-host`; **ingest-only — no ES\|QL preserve** on `host.name` (Agent `agent.name` copy) |
+| `host.ip` | `source.ip` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action NOT IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted", "log-start", "log-end", "log-pause", "log-stop", "ip-cleanup-start", "ip-cleanup-end", "dhcpv6-cleanup-start", "dhcpv6-cleanup-end", "dhcpv6-stateless-clients-pruged", "dhcpv6-stateless-clients-expired", "rogue-server-detection") AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL)` | high | **vendor fallback** — client link address; omit on assign/expire where `source.ip` is the lease (Pass 3); **ingest-only — no ES\|QL preserve** on `host.ip` (`observer.ip` copy) |
+| `entity.id` | `microsoft.dhcp.duid.hex` | `data_stream.dataset == "microsoft_dhcp.log" AND microsoft.dhcp.duid.hex IS NOT NULL` | high | **vendor fallback** — IPv6 client DUID; fixture `0004A34473BFC27FC55B25E86AF0E1761DAA` |
+| `entity.id` | `source.mac` | `data_stream.dataset == "microsoft_dhcp.log" AND source.mac IS NOT NULL AND source.mac != "00-00-00-00-00-00"` | high | **vendor fallback** — hardware ID when non-zero; fixtures `76-69-1E-D4-5C-90` |
+| `entity.type` | literal `"host"` | `data_stream.dataset == "microsoft_dhcp.log" AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND event.action != "rogue-server-detection"` | high | **semantic literal** — DHCP client classification |
+| `entity.name` | `source.domain` | `data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL` | high | **vendor fallback** — AD domain auth context; fixtures `domain.local`, `test.local` |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.ip` | `host.target.ip` | `host.target.ip IS NOT NULL` | high | **preserve existing** — column-level |
+| `host.target.ip` | `source.ip` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted")` | high | **vendor fallback** — leased address; fixtures `192.168.2.10`, `67.43.156.15`, IPv6 `2a02:cf40:…:6fc6` on lifecycle rows |
+| `host.target.name` | `host.target.name` | `host.target.name IS NOT NULL` | high | **preserve existing** — column-level |
+| `host.target.name` | `source.address` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed") AND source.address IS NOT NULL` | high | **vendor fallback** — FQDN being registered/assigned |
+| `service.target.name` | literal `"DNS dynamic update service"` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcp-dns-update"` | low | **semantic literal** — Pass 3 Example 2; not indexed |
+| `service.target.name` | literal `"Microsoft DHCP service"` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit"` | low | **semantic literal** — Pass 3 Example 3; not indexed |
+| `entity.target.name` | `source.domain` | `data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL` | high | **vendor fallback** — AD authorization target |
+| `entity.target.type` | literal `"general"` | `data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103")` | medium | **semantic literal** |
+| `entity.target.sub_type` | literal `"ad-domain"` | `data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103")` | medium | **semantic literal** |
+| `entity.target.type` | literal `"host"` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire")` | high | **semantic literal** — leased IP resource |
+| `entity.target.sub_type` | literal `"ip_lease"` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire")` | high | **semantic literal** — Pass 3 Example 1 |
+| `entity.target.type` | literal `"service"` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed", "dhcpv6-solicit")` | low | **semantic literal** |
+| `entity.target.sub_type` | literal `"dns"` / `"dhcp"` | `data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed")` OR `event.action == "dhcpv6-solicit"` | low | **semantic literal** — sub_type `"dns"` vs `"dhcp"` split in ES\|QL block |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` omits **`host.ip` and `host.name`** — Agent metadata populates those with the collecting Windows Server, not the DHCP client. `target_exists` checks official `*.target.*` columns only (ingest does not populate them today).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers (when needed)
+
+Set `entity.target.type` / `entity.target.sub_type` in the target `EVAL` fallback branch only (correct ECS names — not `target.entity.type`).
+
+### Combined ES|QL — actor fields
+
+Do not preserve ingest `host.name` / `host.ip` (Agent/observer metadata). `entity.id` / `entity.name` / `entity.type` use column-level preserve when indexed; pipeline does not set them today.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(entity.id IS NOT NULL, entity.id, source.mac, null)` (4 args — `source.mac` is a **condition**). Right: `CASE(entity.id IS NOT NULL, entity.id, data_stream.dataset == "microsoft_dhcp.log" AND source.mac IS NOT NULL, source.mac, null)` (5 args).
+
+```esql
+| EVAL
+  host.name = CASE(
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action != "rogue-server-detection" AND event.code != "1103" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.ip = CASE(
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action NOT IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted", "log-start", "log-end", "log-pause", "log-stop", "ip-cleanup-start", "ip-cleanup-end", "dhcpv6-cleanup-start", "dhcpv6-cleanup-end", "dhcpv6-stateless-clients-pruged", "dhcpv6-stateless-clients-expired", "rogue-server-detection") AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "microsoft_dhcp.log" AND microsoft.dhcp.duid.hex IS NOT NULL, microsoft.dhcp.duid.hex,
+    data_stream.dataset == "microsoft_dhcp.log" AND source.mac IS NOT NULL AND source.mac != "00-00-00-00-00-00", source.mac,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "microsoft_dhcp.log" AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND event.action != "rogue-server-detection", "host",
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL, source.domain,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted") AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed") AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcp-dns-update", "DNS dynamic update service",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit", "Microsoft DHCP service",
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL, source.domain,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"), "general",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"), "host",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed", "dhcpv6-solicit"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"), "ad-domain",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"), "ip_lease",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed"), "dns",
+    data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit", "dhcp",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.name = CASE(data_stream.dataset == "microsoft_dhcp.log" AND event.action != "rogue-server-detection" AND event.code != "1103" AND source.address IS NOT NULL, source.address, null),
+  host.ip = CASE(data_stream.dataset == "microsoft_dhcp.log" AND event.action NOT IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted", "log-start", "log-end", "log-pause", "log-stop", "ip-cleanup-start", "ip-cleanup-end", "dhcpv6-cleanup-start", "dhcpv6-cleanup-end", "dhcpv6-stateless-clients-pruged", "dhcpv6-stateless-clients-expired", "rogue-server-detection") AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND source.ip IS NOT NULL, source.ip, null),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "microsoft_dhcp.log" AND microsoft.dhcp.duid.hex IS NOT NULL, microsoft.dhcp.duid.hex,
+    data_stream.dataset == "microsoft_dhcp.log" AND source.mac IS NOT NULL AND source.mac != "00-00-00-00-00-00", source.mac,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "microsoft_dhcp.log" AND (source.mac IS NOT NULL OR microsoft.dhcp.duid.hex IS NOT NULL) AND event.action != "rogue-server-detection", "host",
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL, source.domain,
+    null
+  )
+| EVAL
+  host.target.ip = CASE(host.target.ip IS NOT NULL, host.target.ip, data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire", "dhcpv6-bad-address", "dhcpv6-address-in-use", "dhcpv6-client-deleted", "dhcpv6-expired", "dhcpv6-lease-expired-deleted") AND source.ip IS NOT NULL, source.ip, null),
+  host.target.name = CASE(host.target.name IS NOT NULL, host.target.name, data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed") AND source.address IS NOT NULL, source.address, null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcp-dns-update", "DNS dynamic update service", data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit", "Microsoft DHCP service", null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103") AND source.domain IS NOT NULL, source.domain, null),
+  entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"), "general", data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"), "host", data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed", "dhcpv6-solicit"), "service", null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "microsoft_dhcp.log" AND (event.action == "rogue-server-detection" OR event.code == "1103"), "ad-domain", data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-new", "dhcp-renew", "dhcp-release", "dhcp-deny", "dhcp-delete", "dhcp-expire"), "ip_lease", data_stream.dataset == "microsoft_dhcp.log" AND event.action IN ("dhcp-dns-update", "ipv6-dns-update-request", "ipv6-dns-update-successful", "ipv6-dns-update-failed", "ipv6-dns-update-request-failed"), "dns", data_stream.dataset == "microsoft_dhcp.log" AND event.action == "dhcpv6-solicit", "dhcp", null)
+| KEEP @timestamp, data_stream.dataset, event.action, event.code, host.name, host.ip, entity.id, entity.name, host.target.ip, host.target.name, service.target.name, entity.target.type, entity.target.sub_type
+```
+
+### Streams excluded
+
+- **Server-only events** (`log-start`, `log-end`, `log-pause`, `log-stop`, `ip-cleanup-start`, `ip-cleanup-end`, `dhcpv6-cleanup-start`, `dhcpv6-cleanup-end`, `dhcpv6-stateless-clients-pruged`, `dhcpv6-stateless-clients-expired`) — no DHCP client in `source.*`; `observer.*` / Agent `host.*` is the logging server, not mapped as client actor to avoid false positives.
+
+### Gaps and limitations
+
+- **`host.name` / `host.ip` ES|QL (Pass 4 tautology)** — ingest copies Agent/observer identity (`default.yml` L25–53); do not emit `CASE(actor_exists, host.name, …)` or `CASE(actor_exists, host.ip, …)`; query-time maps `source.address` / `source.ip` only when `event.action` guards apply.
+- **`entity.id` ES|QL** — pipeline does not set `entity.id`; omit `CASE(actor_exists, entity.id, entity.id, …)`; fallbacks `microsoft.dhcp.duid.hex` / `source.mac` only.
+- **`source.*` actor/target conflation** — `source.ip` is both client link and leased address; `event.action` guards reduce error but fail on IPv4 codes `13`, `14`, `20`–`23`, `33`, `36` and DHCPv6 code `1103` where **`event.action` is empty** (Pass 2 enhancement candidates).
+- **`event.action` block omitted** — action is ingest-derived from `event.code` for most rows; no safe query-time fallback without parsing `message` (would guess on codes `36`, `1103`).
+- **`user.name`** — DHCP user-class option; no fixture population; omitted.
+- **Unauthorized peer DHCP servers** — codes `57`, `61`, `62` describe competitors in `event.reason` only; no structured target identity.
+- **`microsoft.dhcp.dhc_id`** — pipeline maps DHCID; fixtures do not populate; omitted from `entity.target.id`.
+- **Zero MAC `00-00-00-00-00-00`** — common in fixtures; `entity.id` falls through to DUID on IPv6 only.
+- **Pass 2 alignment** — ingest-time promotion of `source.*` → `host.target.*` remains the preferred long-term fix; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 CASE syntax** — actor `host.name` / `host.ip` use odd-arity vendor-only `CASE` (no `host.name IS NOT NULL` preserve — Agent metadata); `entity.id` / `entity.type` / `entity.name` and all `*.target.*` columns use column-level **5-arg** / **7-arg** `CASE(<col> IS NOT NULL, <col>, …, null)`, not **4-arg** `CASE(target_exists, host.target.ip, source.ip, null)` (`source.ip` parses as a condition). Full pipeline fragment aligned with combined `EVAL` blocks.
diff --git a/dev/domain/p1/microsoft_intune.md b/dev/domain/p1/microsoft_intune.md
new file mode 100644
index 00000000000..97a1af44d61
--- /dev/null
+++ b/dev/domain/p1/microsoft_intune.md
@@ -0,0 +1,403 @@
+# microsoft_intune
+
+## Product Domain (Microsoft Intune MDM/UEM)
+
+Microsoft Intune is a cloud-based Unified Endpoint Management (UEM) platform and a core component of Microsoft Endpoint Manager. Organizations use Intune to enroll, configure, secure, and maintain mobile and desktop endpoints across iOS, Android, Windows, and macOS. It provides Mobile Device Management (MDM) for full device control and Mobile Application Management (MAM) for application-level policies on personal and corporate devices, integrated with Microsoft Entra ID (Azure AD) for identity, conditional access, and compliance enforcement.
+
+Core concepts in the Intune domain include managed devices (identified by Intune device ID, Entra device ID, serial number, and hardware identifiers), compliance policies and configuration profiles, app protection and deployment, device enrollment methods (Autopilot, Apple ADE, Android Enterprise, BYOD), and ownership models (corporate vs. personal). Devices report inventory and compliance state on check-in; administrators assign policies, deploy applications, initiate remote actions (wipe, retire, sync), and monitor fleet posture through the Microsoft Intune admin center and Microsoft Graph APIs.
+
+From a security and operations perspective, Intune generates two primary telemetry types exported via Azure Monitor: audit logs of administrative and system actions, and managed device inventory snapshots. Audit events capture who performed an operation (user or application actor), what Intune resources were targeted, property changes, and success or failure outcomes. Managed device records capture hardware and OS attributes, compliance state, encryption and jailbreak/root status, enrollment and last-contact timestamps, primary user context, and storage and carrier details. Security teams use this data to monitor endpoint posture, track policy and configuration changes, investigate administrative activity, and correlate Intune-managed fleet state with broader SIEM investigations.
+
+The Elastic Microsoft Intune integration ingests both streams via Elastic Agent consuming Azure Event Hub. Intune diagnostic logs (AuditLogs and IntuneDevices categories) are forwarded from Azure Monitor to Event Hub; the agent reads events in real time, processes them through ingest pipelines, and indexes ECS-aligned documents with Kibana dashboards for managed device inventory and audit activity.
+
+## Data Collected (brief)
+
+- **Managed Device** (`microsoft_intune.managed_device`): Device inventory records from the IntuneDevices diagnostic log category, including device identifiers (Intune device ID, Entra reference ID, serial, IMEI/MEID), hardware (manufacturer, model, SKU), OS platform and version, compliance state, encryption and supervised/jailbroken status, enrollment and registration state, last contact, ownership, primary user (UPN, email, display name), storage capacity, Wi-Fi MAC, and Android patch level.
+- **Audit** (`microsoft_intune.audit`): Administrative and operational audit events from the AuditLogs category, including operation name, activity type and result (success/failure), actor context (user UPN, application name, object ID, actor type, delegated admin flag, permissions), target resources (display names, object IDs, modified property old/new values), correlation and relation IDs, additional contextual details, and tenant identifiers.
+- **Host and user context**: ECS host fields derived from device inventory (name, OS, serial); user email and related user arrays from audit identity and managed device primary user; observer metadata identifying Microsoft Intune as the source.
+
+## Expected Audit Log Entities
+
+Two data streams: **`audit`** is a true administrative audit log (`event.category: configuration`, `event.type: change`) with explicit Actor and Target blocks from Azure Monitor AuditLogs; **`managed_device`** is periodic device inventory sync (`event.category: host`, `event.type: info`) — not an audit stream; actor/target audit semantics do not apply. **`event.action` is populated on both streams** — normalized from Azure Monitor `operationName` via ingest pipeline (lowercase, whitespace → hyphen). On **`audit`**, values name Intune admin operations (e.g. `delete-devicemanagementconfigurationpolicy`); on **`managed_device`**, the constant `devices` is a diagnostic category label, not a per-event admin verb. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated. The package is not in `destination_identity_hits.csv` (no `destination.user.*` / `destination.host.*`); audit maps target display names to `destination.domain` instead. Target-fields audit classifies `microsoft_intune` as **`strong_candidate`** with `pipeline_actor=true`, `fixture_strong=true`, and no tier-A ECS target mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+Evidence: `packages/microsoft_intune/data_stream/audit/` and `managed_device/` — `elasticsearch/ingest_pipeline/default.yml`, `fields/fields.yml`, `test-audit.log-expected.json`, `test-managed-device.log-expected.json`.
+
+### Event action (semantic)
+
+Azure Monitor AuditLogs carry a native **`operationName`** (PascalCase verb + resource, e.g. `Delete DeviceManagementConfigurationPolicy`). The pipeline normalizes this to ECS `event.action` (lowercase, hyphen-separated). Fixture-covered audit actions are configuration lifecycle operations on Intune device-management policies and assignments.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `delete-devicemanagementconfigurationpolicy` | configuration_change | high | `test-audit.log-expected.json` event 1; vendor `operationName: Delete DeviceManagementConfigurationPolicy` | **`audit`** — deletes policy `Testing1` (`AccountQuotaEntity: DeviceConfiguration`); `event.outcome: success`, `event.type: change` |
+| `create-devicemanagementconfigurationpolicyassignment` | configuration_change | high | `test-audit.log-expected.json` events 2–3; vendor `operationName: Create DeviceManagementConfigurationPolicyAssignment` | **`audit`** — assigns policy to Entra group `3ac2074d-022f-42c3-9aa8-6b20d85fe2ca`; `AccountQuotaEntity: DeviceConfigurationAssignment` |
+| `devices` | inventory_sync | high | `test-managed-device.log-expected.json` (all events); vendor `operationName: Devices`, `category: Devices` | **`managed_device`** — stream/category label for periodic inventory export; no meaningful per-event admin verb |
+
+**`managed_device`** has no per-event administrative action — records are device posture snapshots keyed by `DeviceId` / `LastContact` fingerprint, not operator-initiated changes. Treat `event.action: devices` as diagnostic stream identity, not an audit verb.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `json.operationName` → `event.action` (via `microsoft_intune.*.operation_name`) | yes | yes | `delete-devicemanagementconfigurationpolicy`, `create-devicemanagementconfigurationpolicyassignment`, `devices` | no | `audit/default.yml` L77–85, L86–108 (`set_event_action_from_audit_operationName`, lowercase/split/join); `managed_device/default.yml` L408–439 |
+| `microsoft_intune.audit.operation_name` / `microsoft_intune.managed_device.operation_name` | yes (vendor duplicate) | yes | Raw PascalCase values preserved when `preserve_duplicate_custom_fields` tag set | no | Removed by default (`remove_custom_duplicate_fields`); fixtures retain vendor copy |
+| `microsoft_intune.audit.properties.activity_type` | no | n/a | `0` (create assignment), `1` (delete policy) — numeric activity discriminator | partial | Converted to string in pipeline L127–131; complements `operationName` but not copied to `event.action` |
+| `microsoft_intune.audit.properties.activity_result_status` | no | n/a | `1` (success in fixtures) | no | Numeric result code; `event.outcome` already mapped from `resultType: Success` |
+| `event.type` / `event.category` / `event.outcome` | n/a (downstream) | yes | `change` + `configuration` on audit; `info` + `host` on managed_device; `success` on audit | partial | Static appends / `resultType` copy — enrichments keyed on stream type, not independent action sources; do not substitute for `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `audit` | yes (all 3 events) | yes | `json.operationName` → `event.action` (normalized) | high | `audit/default.yml` L77–108; fixtures: `delete-devicemanagementconfigurationpolicy`, `create-devicemanagementconfigurationpolicyassignment` |
+| `managed_device` | yes (all 3 events) | yes | `json.operationName` (`Devices` → `devices`) | high (mapping) / n/a (audit semantics) | `managed_device/default.yml` L408–439; constant `devices` — inventory category, not admin operation |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Entra ID administrator (user actor) | user | — | high | `json.identity` → `user.email`; `properties.Actor.ObjectId` → `user.id`; `properties.Actor.UPN` → `related.user`; `properties.Actor.Name` → `user.name` when present (`audit/default.yml`); fixtures: `john.doe@example.com`, `dan.robert@example.com`, `john.isk@example.com` with object ID `1ce0bf0b-1a79-4caf-b932-4658cf273074`; `ActorType: 1` | **`audit`** — human admin performing policy create/delete/assign |
+| Application client (portal/API) | service | — | high | `properties.Actor.ApplicationName` → `service.name`; `properties.Actor.Application` (app ID GUID) retained under `microsoft_intune.audit.properties.actor.application` (`audit/default.yml`); fixture: `Microsoft Intune portal extension` (`5926fc8e-304e-4f59-8bed-58ca97cc39a4`) | **`audit`** — client application acting on behalf of the signed-in user; pairs with user actor fields |
+| Delegated partner administrator | user | — | moderate | `properties.Actor.IsDelegatedAdmin`, `properties.Actor.PartnerTenantId` → `microsoft_intune.audit.properties.actor.is_delegated_admin`, `partner_tenant_id` (`fields.yml`, `audit/default.yml`); `false` / zero GUID in all fixtures | **`audit`** — MSP/partner scenario; schema present, not exercised in fixtures |
+
+**No actor identity:** **`managed_device`** — inventory snapshots have no initiating principal; `user.*` fields describe the device's primary user association, not who performed an action.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.email` | Admin UPN / audit identity | yes | yes | high | `json.identity` copy (`set_user_email_from_audit_identity`); fixtures match `Actor.UPN` |
+| `user.id` | Entra object ID of actor | yes | yes | high | `properties.Actor.ObjectId` → `user.id` copy; fixture `1ce0bf0b-1a79-4caf-b932-4658cf273074` |
+| `user.name` | Actor display name | yes | n/a | low | `properties.Actor.Name` copy; null in all audit fixtures |
+| `service.name` | Client application name | yes | yes | high | `properties.Actor.ApplicationName` → `service.name`; fixture `Microsoft Intune portal extension` |
+| `related.user` | Actor UPN enrichment | yes | yes | high | Appends `identity` and `Actor.UPN` (`append_audit_identity_into_related_user`, `append_audit_properties_Actor_UPN_into_related_user`) |
+| `microsoft_intune.audit.properties.actor.*` | Full actor block (type, app ID, permissions, delegation) | no (vendor-only after dedup) | n/a | high | `application`, `actor_type`, `is_delegated_admin`, `partner_tenant_id`, `user_permissions` retained when `preserve_duplicate_custom_fields` tag set |
+| `event.provider` | Logging service name | yes | yes (context) | medium | `properties.loggedByService` → `event.provider` when present; not in fixtures |
+| `cloud.account.id` | Entra tenant scope | yes | yes (scope) | high | `tenantId` → `cloud.account.id`; fixture `3adb963c-8e61-48e8-a06d-6dbb0dacea39` — organizational scope, not an actor |
+| `observer.product` / `observer.vendor` | Source platform constant | yes | yes (context) | high | Static `Microsoft Intune` / `Microsoft` (`ecs.yml` both streams) — collector/source metadata, not event actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | UEM platform whose API was invoked | Microsoft Intune / Device Management | service | — | high | `observer.product: Microsoft Intune`; `event.action` values `delete-devicemanagementconfigurationpolicy`, `create-devicemanagementconfigurationpolicyassignment`; `AccountQuotaEntity` in `additional_detail.parsed` | **`audit`** — invoked Intune admin/Graph surface; no `cloud.service.name` set |
+| 2 — Resource / object | Intune configuration object acted upon | Device management configuration policy | general | intune-policy | high | `target_display_names`, `target_object_ids`, `properties.targets[].name`; fixture policy `Testing1` / ID `916dc511-df99-45da-8eb6-1ac55579e16f` on delete | **`audit`** — `AccountQuotaEntity: DeviceConfiguration` |
+| 2 — Resource / object | Assignment linking policy to scope | Policy assignment | general | intune-assignment | high | `operation_name: Create DeviceManagementConfigurationPolicyAssignment`; `AccountQuotaEntity: DeviceConfigurationAssignment`; composite assignment IDs in `target_object_ids` | **`audit`** — assignment create fixtures |
+| 2 — Resource / object | Entra group receiving policy | Entra ID group | general | entra-group | high | `modified_properties` entry `Target.GroupId` → `3ac2074d-022f-42c3-9aa8-6b20d85fe2ca`; `Target.Type: GroupAssignmentTarget` | **`audit`** — policy assignment target group |
+| 2 — Resource / object | Optional assignment filter | Assignment filter | general | intune-filter | moderate | `Target.DeviceAndAppManagementAssignmentFilterId`, `Target.DeviceAndAppManagementAssignmentFilterType` in `modified_properties`; `<null>` / `None` in fixtures | **`audit`** — schema present, null in fixtures |
+| 2 — Resource / object | Managed endpoint (inventory subject) | Enrolled device | host | — | high | `DeviceName` → `host.name`; `DeviceId` → `device.id`; `ReferenceId` (Entra device ID); fixtures: `CLW555TEST`, `C-LAB-14`, `DESKTOP-13TAS32` | **`managed_device`** — inventory subject, not an admin-action target |
+| 3 — Content / artifact | Before/after property changes | Modified policy properties | general | configuration-delta | high | `properties.targets[].modified_properties[]` with `name`, `old`, `new`; fixture: `Name` old→new on delete; assignment fields (`Id`, `Source`, `SourceId`, `DeviceManagementAPIVersion`) on create | **`audit`** — granular change evidence |
+| 3 — Content / artifact | Evaluated posture attributes | Device compliance state | general | compliance-state | high | `CompliantState`, `DeviceState`, `EncryptionStatusString`, `JailBroken`, `SupervisedStatusString` (`managed_device/fields.yml`, fixtures) | **`managed_device`** — posture snapshot on inventory subject |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `observer.product` | 1 | service | yes | yes (context) | context-only | no | Static `Microsoft Intune` — platform identity; pipeline does not set `cloud.service.name` |
+| `destination.domain` | 2 | general | yes | **partial** | `entity.target.name` | yes | `properties.Targets[].Name` appended via foreach (`append_properties_Targets_Name_into_destination_domain`); fixture `["Testing1"]` — policy display name, not a DNS domain |
+| `microsoft_intune.audit.properties.target_object_ids` | 2 | general | no | n/a | `entity.target.id` | yes | GUIDs e.g. `916dc511-df99-45da-8eb6-1ac55579e16f`; canonical resource IDs, vendor-only |
+| `microsoft_intune.audit.properties.target_display_names` | 2 | general | no | n/a | `entity.target.name` | yes | Parallel to `destination.domain`; vendor-only duplicate of display names |
+| `microsoft_intune.audit.properties.targets[]` | 2 / 3 | general | no | n/a | `entity.target.*` | yes | Full target array with `modified_properties`; richest target structure; vendor-only |
+| `microsoft_intune.audit.properties.additional_detail.parsed` | 2 | general | no | n/a | context-only | no | `AccountQuotaEntity`, `GroupPropertyNames` — entity type hints |
+| `host.name` / `device.id` / `device.serial_number` | 2 | host | yes | yes (inventory subject) | `host.target.*` | yes | **`managed_device`** — endpoint identity; inventory semantics, not audit target |
+| `microsoft_intune.managed_device.properties.reference_id` | 2 | host | no | n/a | `host.target.id` | yes | Entra device object ID (e.g. `f18bd540-d5e4-46e0-8ddd-3d03a59e4e14`); cross-link to Entra |
+| `user.id` / `user.email` / `user.name` | 2 | user | yes | partial | context-only | no | **`managed_device`** — primary user on endpoint; association context, not audit target user |
+| `cloud.account.id` | 1 | general | yes | yes (scope) | context-only | no | Tenant ID on both streams — organizational scope |
+
+### Gaps and mapping notes
+
+- **`event.action` well-mapped on audit** — `operationName` → normalized `event.action` is correct and populated in all audit fixtures. Optional enhancement: also expose raw PascalCase `operationName` in ECS when dedup tag absent, or map `activity_type` as supplementary context (not a replacement for `event.action`).
+- **`event.action: devices` on managed_device is weak semantically** — technically mapped but reflects Azure diagnostic category, not an operator action; document as inventory stream label when correlating with audit events.
+- **No ECS `*.target.*` today** — audit target identity lives in vendor `microsoft_intune.audit.properties.target_*` and a misapplied `destination.domain`. Enhancement: map `target_object_ids` → `entity.target.id`, display names → `entity.target.name`, and typed resources (policy, group, assignment) by `AccountQuotaEntity` / `modified_properties`.
+- **`destination.domain` is a partial de-facto target mapping** — pipeline appends Intune resource display names (`Targets[].Name`) to `destination.domain`, which ECS defines for network destination hostnames. Semantically an audit target name, not a network peer; should migrate to `entity.target.name`.
+- **Vendor target fields are canonical but unmapped to ECS** — `target_object_ids`, `targets[].modified_properties` (including `Target.GroupId`) are the best source of truth for Layer 2/3 targets; only display names partially surface via `destination.domain`.
+- **`user.*` on managed_device is not actor or audit target** — primary user fields describe device ownership/assignment on inventory records; do not conflate with admin actor or acted-upon user in audit events.
+- **No `destination.user.*` / `destination.host.*`** — package absent from `destination_identity_hits.csv`; no de-facto user/host target pattern beyond the `destination.domain` misuse.
+- **Layer 1 gap: no `cloud.service.name`** — platform service inferred from `observer.product` and audit `event.action` operation prefixes only; static `cloud.service.name: intune` would improve Layer 1 target consistency.
+- **Target-fields audit alignment** — `strong_candidate`: explicit audit Actor block with ECS actor mappings (`pipeline_actor=true`, `fixture_strong=true`), rich vendor target paths (`vendor_target_special_cases.csv`: 14 `*target*` hits on audit stream), but zero tier-A ECS target fields.
+
+### Per-stream notes
+
+#### `audit`
+
+True administrative audit log from Azure Monitor AuditLogs. **`event.action`** names the Intune admin operation (normalized from `operationName`). Actor: Entra user (`user.email`, `user.id`) plus client application (`service.name`). Target Layer 1: Microsoft Intune Device Management API. Layer 2: configuration policies, assignments, and Entra groups (via `modified_properties`). Layer 3: property deltas in `targets[].modified_properties`. Correlate with fleet state via `target_object_ids` and group IDs against **`managed_device`** `device.id` / `reference_id`.
+
+#### `managed_device`
+
+Periodic inventory sync from IntuneDevices category — not an audit event. **`event.action: devices`** is a diagnostic stream label, not an admin verb. No actor. The managed endpoint (`host.*`, `device.*`) is the inventory subject; primary user fields provide association context only. Compliance and hardware attributes are evaluated state on the subject, not admin-action targets. Use alongside **`audit`** for posture and change correlation.
+
+## Example Event Graph
+
+Examples below come from the **`audit`** stream — true Azure Monitor AuditLogs with explicit Actor and Target blocks. The **`managed_device`** stream is periodic inventory sync (`event.action: devices` is a diagnostic category label, not an admin verb); it has no initiating operator, so no meaningful Actor → action → Target chain applies.
+
+### Example 1: Delete configuration policy
+
+**Stream:** `microsoft_intune.audit` · **Fixture:** `packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json` (event 1)
+
+```
+Entra admin (john.doe@example.com) → delete-devicemanagementconfigurationpolicy → Device configuration policy Testing1
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `1ce0bf0b-1a79-4caf-b932-4658cf273074` |
+| name | john.doe@example.com |
+| type | user |
+
+**Field sources:**
+
+- `id` ← `user.id` (`properties.Actor.ObjectId`)
+- `name` ← `user.email` (`properties.Actor.UPN`)
+- Client application context (not primary actor): `service.name` ← `properties.Actor.ApplicationName` → `Microsoft Intune portal extension`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `delete-devicemanagementconfigurationpolicy` |
+| source_field | `event.action` |
+| source_value | `delete-devicemanagementconfigurationpolicy` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `916dc511-df99-45da-8eb6-1ac55579e16f` |
+| name | `Testing1` |
+| type | general |
+| sub_type | intune-policy |
+
+**Field sources:**
+
+- `id` ← `microsoft_intune.audit.properties.target_object_ids[0]`
+- `name` ← `destination.domain[0]` (de-facto mapping from `properties.Targets[].Name`; semantically a policy display name, not a DNS domain)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: john.doe@example.com"] --> E["delete-devicemanagementconfigurationpolicy"]
+  E --> T["Target: Testing1 (intune-policy)"]
+```
+
+### Example 2: Assign configuration policy to Entra group
+
+**Stream:** `microsoft_intune.audit` · **Fixture:** `packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json` (event 2)
+
+```
+Entra admin (dan.robert@example.com) → create-devicemanagementconfigurationpolicyassignment → Policy assignment to Entra group 3ac2074d-022f-42c3-9aa8-6b20d85fe2ca
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `1ce0bf0b-1a79-4caf-b932-4658cf273074` |
+| type | user |
+
+**Field sources:**
+
+- `id` ← `user.id` (`properties.Actor.ObjectId`)
+- Actor UPN also in `user.email` / `related.user` → `dan.robert@example.com`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `create-devicemanagementconfigurationpolicyassignment` |
+| source_field | `event.action` |
+| source_value | `create-devicemanagementconfigurationpolicyassignment` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `3ac2074d-022f-42c3-9aa8-6b20d85fe2ca` |
+| type | general |
+| sub_type | entra-group |
+
+**Field sources:**
+
+- `id` ← `microsoft_intune.audit.properties.targets[].modified_properties` where `name: Target.GroupId` → `new: 3ac2074d-022f-42c3-9aa8-6b20d85fe2ca`
+- Policy display name `Testing` at `microsoft_intune.audit.properties.target_display_names[0]` — assignment context, not the group name (group display name absent in fixture)
+- Assignment composite ID also available: `microsoft_intune.audit.properties.target_object_ids[1]` → `54d05a58-d055-423d-8d51-593688f81f84_3ac2074d-022f-42c3-9aa8-6b20d85fe2ca`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: dan.robert@example.com"] --> E["create-devicemanagementconfigurationpolicyassignment"]
+  E --> T["Target: Entra group 3ac2074d…"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed.** Router: `data_stream.dataset` (`microsoft_intune.audit`, `microsoft_intune.managed_device` from `manifest.yml` policy template). **Full extraction on `microsoft_intune.audit` only** — fixtures populate ECS actor fields; target identity is vendor-backed with a de-facto `destination.domain` name. **`microsoft_intune.managed_device` excluded** — inventory sync, not audit semantics. All fallback sources are Tier A (`test-audit.log-expected.json`, `audit/default.yml`). Every `CASE` uses column-level preserve: `CASE(col IS NOT NULL, col, cond AND src IS NOT NULL, src, null)` — never `field[n]` indexing.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `microsoft_intune.audit` | administrative audit | user, service | general (policy, assignment, group), service (platform) | full |
+| `microsoft_intune.managed_device` | device inventory sync | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | — | — | high | **ingest-only** — `properties.Actor.ObjectId` → `user.id` (`audit/default.yml` L178–182); omit from ES\|QL |
+| `user.name` | `user.name`, `user.email` | `user.name IS NOT NULL` → preserve; else `data_stream.dataset == "microsoft_intune.audit"` | high | Column-level preserve — do not gate on `actor_exists` (`user.email` is set while `Actor.Name` → `user.name` is null in all fixtures) |
+| `user.email` | — | — | high | **ingest-only** — `json.identity` → `user.email` (L65–69); omit from ES\|QL |
+| `service.name` | — | — | high | **ingest-only** — `ApplicationName` → `service.name` (L148–152); omit from ES\|QL |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.id` | `entity.target.id` | preserve if not null | high | Column-level preserve |
+| `entity.target.id` | `MV_FIRST(microsoft_intune.audit.properties.target_object_ids)` | `data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy"` | high | Fixture: array has exactly 1 element (`["916dc511-…"]`); `MV_FIRST` is safe |
+| `entity.target.id` | — | `data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment"` | — | **ingest-only** — `target_object_ids` has 2 elements: index 0 = policy ID, index 1 = composite assignment ID (`policyId_groupId`); index 1 has semantic meaning (specific element), cannot be reliably extracted at query time; ingest should normalize bare group GUID to `entity.target.id` |
+| `entity.target.name` | `entity.target.name` | preserve if not null | high | Column-level preserve |
+| `entity.target.name` | `MV_FIRST(destination.domain)` | `data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy"` | high | Fixture: `destination.domain` has exactly 1 element (`["Testing1"]`); `MV_FIRST` is safe |
+| `entity.target.name` | `MV_FIRST(microsoft_intune.audit.properties.target_display_names)` | `data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment"` | moderate | Fixture: array has 2 elements (`["Testing", "<null>"]`); index 0 is the policy name — first element is meaningful but ordering not guaranteed; `MV_FIRST` acceptable for policy context |
+| `entity.target.type` | `entity.target.type` | preserve if not null | high | Column-level preserve |
+| `entity.target.type` | `"general"` | `data_stream.dataset == "microsoft_intune.audit"` | low | Semantic literal — Pass 3 Layer 2 |
+| `entity.target.sub_type` | `entity.target.sub_type` | preserve if not null | high | Column-level preserve |
+| `entity.target.sub_type` | `"intune-policy"` | `data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy"` | high | Semantic literal — Pass 3 Example 1 |
+| `entity.target.sub_type` | `"entra-group"` | `data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment"` | high | Semantic literal — Pass 3 Example 2 (group ID in `modified_properties`, not indexed as ECS) |
+| `service.target.name` | `service.target.name` | preserve if not null | high | Column-level preserve |
+| `service.target.name` | `"Microsoft Intune"` | `data_stream.dataset == "microsoft_intune.audit"` | low | Semantic literal — Layer 1 platform (`observer.product` not copied) |
+
+### Detection flags (mandatory)
+
+`actor_exists` includes `service.*` because audit events pair Entra user actor with client application (`service.name`). `target_exists` checks all four target namespaces; audit fixtures have no pre-indexed `*.target.*` today, so flags are typically false until enrichment runs.
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+Column-level preserve: `CASE(col IS NOT NULL, col, cond AND src IS NOT NULL, src, null)`.
+
+Only `user.name` needs query-time fill — ingest copies `Actor.Name` (null in all fixtures); UPN lives in `user.email`. Do not gate on `actor_exists` (true when `user.email` is set while `user.name` is still empty).
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "microsoft_intune.audit" AND user.email IS NOT NULL, user.email,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+Column-level preserve. `MV_FIRST()` used only where field is effectively single-valued in fixtures. `target_object_ids[1]` for assignment creates is ingest-only (see gaps).
+
+```esql
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND microsoft_intune.audit.properties.target_object_ids IS NOT NULL, MV_FIRST(microsoft_intune.audit.properties.target_object_ids),
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND destination.domain IS NOT NULL, MV_FIRST(destination.domain),
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment" AND microsoft_intune.audit.properties.target_display_names IS NOT NULL, MV_FIRST(microsoft_intune.audit.properties.target_display_names),
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "microsoft_intune.audit", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy", "intune-policy",
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment", "entra-group",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "microsoft_intune.audit", "Microsoft Intune",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "microsoft_intune.audit" AND user.email IS NOT NULL, user.email,
+    null
+  )
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND microsoft_intune.audit.properties.target_object_ids IS NOT NULL, MV_FIRST(microsoft_intune.audit.properties.target_object_ids),
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy" AND destination.domain IS NOT NULL, MV_FIRST(destination.domain),
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment" AND microsoft_intune.audit.properties.target_display_names IS NOT NULL, MV_FIRST(microsoft_intune.audit.properties.target_display_names),
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "microsoft_intune.audit", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "delete-devicemanagementconfigurationpolicy", "intune-policy",
+    data_stream.dataset == "microsoft_intune.audit" AND event.action == "create-devicemanagementconfigurationpolicyassignment", "entra-group",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "microsoft_intune.audit", "Microsoft Intune",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, user.email, service.name, entity.target.id, entity.target.name, entity.target.sub_type, service.target.name
+```
+
+### Streams excluded
+
+- **`microsoft_intune.managed_device`** — periodic IntuneDevices inventory export (`event.action: devices` is a diagnostic category label, not an admin verb); `host.*` / `device.*` / `user.*` describe the managed endpoint subject and primary user association, not audit actor/target.
+
+### Gaps and limitations
+
+- **`target_object_ids[1]` for `create-devicemanagementconfigurationpolicyassignment` — ingest-only**: Fixture confirms `target_object_ids` has 2 elements: index 0 = policy GUID (`54d05a58-…` or `916dc511-…`), index 1 = composite assignment ID (`policyId_groupId`). Index 1 has specific semantic meaning (the assignment record ID). ES|QL array indexing (`field[n]`) is invalid syntax; `MV_FIRST` returns the first element (index 0), not index 1. Ingest pipeline should normalize the bare group GUID (`Target.GroupId` from `modified_properties`) or the composite ID to a flat `entity.target.id` field for assignment creates.
+- **`destination.domain` for `create-devicemanagementconfigurationpolicyassignment` — multi-valued**: Fixture shows `["Testing", "<null>"]` (2 elements). `MV_FIRST` would return `"Testing"` (policy name), but this field is semantically misused (ECS DNS domain used for policy display name). `entity.target.name` fallback uses `MV_FIRST(target_display_names)` instead, which carries the same first element. Both are acceptable for policy-name context only.
+- **`target_display_names` for assignment creates — first element only**: Fixture: `["Testing", "<null>"]`. `MV_FIRST` returns the policy context name (`Testing`/`Testing1`). The second element `"<null>"` is a literal null-string placeholder for the unnamed assignment target; discarding it is correct.
+- **`destination.domain` — semantic mismatch**: ECS `destination.domain` is for network DNS hostnames; pipeline appends Intune resource display names. Query-time fill maps to `entity.target.name` in fallback only; long-term fix is ingest-level migration to `entity.target.name`.
+- **`user.id` / `user.email` / `service.name` — ingest-only**: Do not emit tautological `CASE` wrapping already-populated ingest fields.
+- **`event.action` — ingest-only**: `operationName` normalized at ingest; omit action `EVAL` block.
+- **`user.name` on audit**: `properties.Actor.Name` is null in all three audit fixtures; `user.name` column-level preserve falls back to `user.email` (always populated from `json.identity`).
+- **`user.target.*` / `host.target.*`**: No tier-A sources; audit targets are `entity.target.*` (policy, assignment, group), not user/host ECS targets.
+- **Entra group GUID**: Bare group GUID `3ac2074d-…` lives only in `targets[].modified_properties` (`Target.GroupId`); not a flat indexed ECS field. Cannot be extracted at query time. Ingest enhancement needed.
+- **`event.action: devices` on managed_device**: Constant stream/category label; excluded from action enrichment semantics.
diff --git a/dev/domain/p1/openai.md b/dev/domain/p1/openai.md
new file mode 100644
index 00000000000..5c2ed56904c
--- /dev/null
+++ b/dev/domain/p1/openai.md
@@ -0,0 +1,523 @@
+# openai
+
+## Product Domain (OpenAI API/LLM platform observability)
+
+OpenAI provides a commercial API platform for foundation models and related AI services, including chat/completion models, embeddings, image generation, audio transcription and speech synthesis, content moderation, vector stores, and code interpreter sessions. Organizations consume these capabilities programmatically via API keys scoped to projects and users, with usage aggregated at the organization level for billing, capacity planning, and operational oversight.
+
+The OpenAI Usage API exposes time-bucketed metrics that describe how an organization consumes each API surface—request counts, token volumes, audio seconds, image counts, vector store storage, and similar usage dimensions—broken down by model, project, user, and API key where applicable. This is observability data about API consumption patterns, not the content of prompts, responses, or generated artifacts.
+
+The Elastic OpenAI integration polls the Usage API with an organization Admin key via Elastic Agent (CEL input), normalizes usage records into ECS-aligned metric events, and ships them to Elasticsearch for dashboards, alerting, and troubleshooting. It supports configurable collection intervals and bucket widths (1m, 1h, 1d) to balance granularity, storage, and API limits. Primary use cases include tracking token and request trends per model, monitoring spend drivers, detecting usage spikes, and correlating consumption by project, user, or API key.
+
+## Data Collected (brief)
+
+- **Usage metrics** (eight data streams): `completions`, `embeddings`, `images`, `moderations`, `audio_transcriptions`, `audio_speeches`, `vector_stores`, and `code_interpreter_sessions`, collected from the OpenAI Usage API.
+- **Common dimensions** (`openai.base.*`): Time bucket start/end, model name, project ID, user ID, API key ID, request count, and usage object type.
+- **Completions**: Input/output/cached/audio token counts and batch flag.
+- **Embeddings and moderations**: Input token counts.
+- **Images**: Image count, size, and source (generation, edit, variation).
+- **Audio**: Transcription seconds and text-to-speech character counts.
+- **Vector stores**: Storage usage in bytes.
+- **Code interpreter**: Session counts.
+
+## Expected Audit Log Entities
+
+The OpenAI integration collects **Usage API metrics only** (`event.kind: metric` on all eight data streams). It polls the [OpenAI Usage API](https://platform.openai.com/docs/api-reference/usage) with an organization Admin key via CEL input; there are no audit logs, authentication events, or administrative action records. All streams are **audit-adjacent usage metrics** — time-bucketed aggregates keyed by consumption dimensions (model, project, user, API key), not per-request audit events. Actor/target semantics below describe **who consumed which API surface** within each bucket, not principals or objects from an auditable action. **`event.action` is absent** in all `sample_event.json` files and no ingest pipeline maps to it (grep across `packages/openai` returns no `event.action` references). No ECS `user.*`, `*.target.*`, `related.*`, `destination.*`, `cloud.*`, or `gen_ai.*` fields are populated; pipelines only set `ecs.version`, `event.kind`, and rename vendor JSON into `openai.*`. Evidence is from `data_stream/*/sample_event.json`, `data_stream/*/fields/fields.yml`, `data_stream/*/elasticsearch/ingest_pipeline/default.yml`, and `data_stream/*/agent/stream/cel.yml.hbs` `group_by` settings; the package has no `*-expected.json` pipeline test fixtures. The target-fields audit classified this package as **`none`** for actor/target enhancement (`dev/target-fields-audit/out/target_enhancement_packages.csv`); no `destination.user.*` / `destination.host.*` usage (`destination_identity_hits.csv` has no `openai` row).
+
+### Event action (semantic)
+
+These streams record **pre-aggregated usage over configurable time buckets** (`1m`/`1h`/`1d`), not individual API invocations. Per classification rule 10, metrics streams (`event.kind: metric`) have **no meaningful per-event action** — there is no verb naming what happened on a single request. The closest vendor signals are the **API surface identifier** (`openai.base.usage_object_type`) and, on the images stream, the **image operation facet** (`openai.images.source`).
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `completions_usage` (from `organization.usage.completions.result`) | api_call | moderate | `completions/sample_event.json`: `usage_object_type: organization.usage.completions.result` | Aggregate completion/chat usage within bucket; not a single `ChatCompletion` call |
+| `embeddings_usage` (from `organization.usage.embeddings.result`) | api_call | moderate | `embeddings/sample_event.json`: `organization.usage.embeddings.result` | Aggregate embedding API usage |
+| `moderations_usage` (from `organization.usage.moderations.result`) | api_call | moderate | `moderations/sample_event.json`: `organization.usage.moderations.result` | Aggregate moderation API usage |
+| `images_usage` (from `organization.usage.images.result`) | api_call | moderate | `images/sample_event.json`: `organization.usage.images.result` | Aggregate image API usage; sub-facet `openai.images.source` distinguishes operation type |
+| `image.generation` / `image.edit` / `image.variation` | api_call | moderate | `images/sample_event.json`: `source: image.generation`; `fields.yml` documents all three values | Image API sub-operation dimension within bucket; CEL `group_by` includes `source` |
+| `audio_transcriptions_usage` (from `organization.usage.audio_transcriptions.result`) | api_call | moderate | `audio_transcriptions/sample_event.json` | Aggregate Whisper transcription usage (seconds) |
+| `audio_speeches_usage` (from `organization.usage.audio_speeches.result`) | api_call | moderate | `audio_speeches/sample_event.json` | Aggregate TTS usage (characters) |
+| `vector_stores_usage` (from `organization.usage.vector_stores.*`) | api_call | moderate | `vector_stores/sample_event.json`: `organization.usage.vector_stores.<dummy>` | Project-scoped storage aggregate; no per-store operation |
+| `code_interpreter_sessions_usage` (from `organization.usage.code_interpreter_sessions.*`) | api_call | moderate | `code_interpreter_sessions/sample_event.json`: `organization.usage.code_interpreter_sessions.<dummy>` | Session-count aggregate; no per-session operation |
+
+If `event.action` were populated for SIEM-style filtering, a derived label from `openai.base.usage_object_type` (e.g. strip `organization.usage.` prefix and `.result` suffix → `completions`, `embeddings`) or the `data_stream.dataset` suffix (`openai.completions` → `completions`) would be the most defensible mapping — but neither is implemented today.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `openai.base.usage_object_type` | no | n/a | `completions`, `embeddings`, `moderations`, `images`, `audio_transcriptions`, `audio_speeches`, `vector_stores`, `code_interpreter_sessions` (derived from `organization.usage.*.result`) | yes | Pipeline rename from API `object` field (e.g. `completions/default.yml` L49–52); all eight `sample_event.json` files |
+| `openai.images.source` | no | n/a | `image.generation`, `image.edit`, `image.variation` | partial | `images/sample_event.json`: `image.generation`; sub-operation facet on images stream only; CEL `group_by` includes `source` |
+| `data_stream.dataset` | no | n/a | `openai.completions`, `openai.embeddings`, … | partial | Set by agent on every sample; stream discriminator, not vendor operation name |
+| `openai.completions.batch` | no | n/a | — | no | Boolean batch-mode dimension; qualifies completions usage, not a standalone action verb |
+| `event.action` | no | n/a | — | yes | Not set in any pipeline or sample |
+| `event.type` / `event.category` | no | n/a | — | no | Not set; would not substitute for `event.action` without a vendor action source |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `completions` | no | no | `openai.base.usage_object_type` → `completions` | moderate | `completions/sample_event.json`; pipeline sets `event.kind: metric` only (`default.yml` L10–12) |
+| `embeddings` | no | no | `openai.base.usage_object_type` → `embeddings` | moderate | `embeddings/sample_event.json`; same pipeline pattern |
+| `moderations` | no | no | `openai.base.usage_object_type` → `moderations` | moderate | `moderations/sample_event.json` |
+| `images` | no | no | `openai.base.usage_object_type` → `images`; alternate `openai.images.source` | moderate | `images/sample_event.json`; `source: image.generation` adds sub-operation facet |
+| `audio_transcriptions` | no | no | `openai.base.usage_object_type` → `audio_transcriptions` | moderate | `audio_transcriptions/sample_event.json` |
+| `audio_speeches` | no | no | `openai.base.usage_object_type` → `audio_speeches` | moderate | `audio_speeches/sample_event.json` |
+| `vector_stores` | no | no | `openai.base.usage_object_type` → `vector_stores` | moderate | `vector_stores/sample_event.json`; CEL `group_by: ["project_id"]` only |
+| `code_interpreter_sessions` | no | no | `openai.base.usage_object_type` → `code_interpreter_sessions` | moderate | `code_interpreter_sessions/sample_event.json`; CEL `group_by: ["project_id"]` only |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| API consumer (org user) | user | — | moderate | `openai.base.user_id` in six stream `sample_event.json` files and model-usage `fields/fields.yml` base schema; CEL `group_by` includes `user_id` on model-usage streams | **`completions`**, **`embeddings`**, **`moderations`**, **`images`**, **`audio_transcriptions`**, **`audio_speeches`** — opaque OpenAI user identifier (e.g. `"user-dummy"`); consumption dimension, not an authenticated audit principal |
+| API credential | general | api_key | moderate | `openai.base.api_key_id` in same six samples and base field definitions; CEL `group_by` includes `api_key_id` on model-usage streams | Same six streams — identifies which org API key drove usage; supplementary to user, not a human actor |
+| Organization project (scope) | general | project | low | `openai.base.project_id` in all samples where populated (empty string when unscoped); CEL `group_by` always includes `project_id` | **All streams** — billing/project partition, not an interactive principal |
+| Integration collector | service | — | low | Admin key in CEL state (`access_token` from `admin_token`); redacted via `redact.fields`, never indexed | Implicit Elastic Agent poller; not represented on events |
+
+**No actor identity in schema or samples:** **`vector_stores`**, **`code_interpreter_sessions`** — CEL `group_by: ["project_id"]` only; field schemas omit `user_id`, `api_key_id`, and `model`; samples carry project and bucket timestamps only.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `openai.base.user_id` | API consumer user ID | no | n/a | moderate | Defined in model-usage `fields/fields.yml`; populated in six `sample_event.json` files; pipeline renames from API JSON (e.g. `completions/elasticsearch/ingest_pipeline/default.yml` L38–40) but never copied to ECS `user.id` |
+| `openai.base.api_key_id` | API key credential ID | no | n/a | moderate | Same six streams; pipeline rename L41–44; no ECS credential or `user.*` enrichment |
+| `openai.base.project_id` | Project / billing scope | no | n/a | low | All streams; pipeline rename L33–36; organizational context, not a security principal |
+| `user.id` / `user.*` | Actor identity | no | n/a | — | Not set in any pipeline or sample |
+| `client.user.*` | Caller principal | no | n/a | — | Not used |
+| `related.user` | Actor cross-reference | no | n/a | — | Not used |
+| `destination.user.*` / `destination.host.*` | De-facto target identity | no | n/a | — | Not used (`destination_identity_hits.csv` has no `openai` row) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | OpenAI API platform consumed by the organization | OpenAI API | service | — | moderate | `openai.base.usage_object_type` discriminates API surface (`organization.usage.completions.result`, `organization.usage.embeddings.result`, etc.) in all samples; no `cloud.service.name` set | **All streams** — invoked SaaS platform; inferred from usage object type, not ECS-mapped |
+| 2 — Resource / object | Foundation model endpoint | Named OpenAI model | service | — | high | `openai.base.model` in six model-usage samples (e.g. `gpt-4o-mini-2024-07-18`, `dall-e-3`, `whisper-1`, `tts-1`, `text-embedding-ada-002-v2`, `text-moderation:2023-10-25`) | **`completions`**, **`embeddings`**, **`moderations`**, **`images`**, **`audio_transcriptions`**, **`audio_speeches`** — aggregation dimension for model consumption, not per-invocation target |
+| 2 — Resource / object | Vector store storage (aggregate) | Vector store usage | general | vector_store | moderate | `openai.vector_stores.usage_bytes`; `usage_object_type: organization.usage.vector_stores.*` | **`vector_stores`** — org/project-level storage consumption; no per-store ID in schema or samples |
+| 2 — Resource / object | Code interpreter sessions (aggregate) | Code interpreter workload | general | code_interpreter_session | moderate | `openai.code_interpreter_sessions.sessions`; `usage_object_type: organization.usage.code_interpreter_sessions.*` | **`code_interpreter_sessions`** — session count aggregate; no session or user identifiers |
+| 3 — Content / artifact | Time-bucket usage aggregate | Usage bucket | general | usage_bucket | high | `openai.base.start_time`, `openai.base.end_time`, `@timestamp`; `openai.base.num_model_requests` where present | **All streams** — metrics pre-aggregated over configurable bucket width (`1m`/`1h`/`1d`); not per-request audit targets |
+| 3 — Content / artifact | Image API usage facets | Image generation dimensions | general | image | moderate | `openai.images.images`, `openai.images.size`, `openai.images.source` (`image.generation`, `image.edit`, `image.variation`); CEL `group_by` adds `size,source` | **`images`** — grouped image API usage, not individual image assets |
+| 3 — Content / artifact | Batch inference mode | Batch vs interactive completion | general | batch_job | low | `openai.completions.batch` (boolean); CEL `group_by` includes `batch` | **`completions`** — distinguishes batch vs interactive completion usage within the bucket |
+
+**No meaningful audit target:** Individual prompts, completions, files, vector-store objects, or session instances — the Usage API exposes counts and volumes only, not content or resource IDs. Per classification rule 10, model ID and API-key dimensions are **aggregation targets**, not per-request audit targets.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `openai.base.model` | 2 | service | no | n/a | `gen_ai.request.model.id` / `service.target.entity.id` | yes | Six model-usage samples; pipeline rename (e.g. `completions/default.yml` L29–32); canonical consumed-model dimension |
+| `openai.base.usage_object_type` | 1 | service | no | n/a | `service.target.name` / `event.action` | partial | All samples; pipeline rename L49–52; identifies API surface (`organization.usage.*`) but not promoted to ECS |
+| `openai.base.num_model_requests` | 3 | general (usage_bucket) | no | n/a | context-only | no | Request count within bucket; metric counter, not entity identity |
+| `openai.completions.*` (token counters) | 3 | general (usage_bucket) | no | n/a | context-only | no | `input_tokens`, `output_tokens`, `input_cached_tokens`, audio token fields in `completions/sample_event.json` |
+| `openai.embeddings.input_tokens` / `openai.moderations.input_tokens` | 3 | general (usage_bucket) | no | n/a | context-only | no | Token volume counters in respective samples |
+| `openai.images.images` / `.size` / `.source` | 3 | general (image) | no | n/a | context-only | no | Image count and dimension facets in `images/sample_event.json` |
+| `openai.audio_transcriptions.seconds` | 3 | general (usage_bucket) | no | n/a | context-only | no | Audio duration counter |
+| `openai.audio_speeches.characters` | 3 | general (usage_bucket) | no | n/a | context-only | no | TTS character counter |
+| `openai.vector_stores.usage_bytes` | 2 | general (vector_store) | no | n/a | context-only | no | Storage byte counter; no store ID |
+| `openai.code_interpreter_sessions.sessions` | 2 | general (code_interpreter_session) | no | n/a | context-only | no | Session count counter |
+| `openai.completions.batch` | 3 | general (batch_job) | no | n/a | context-only | no | Boolean batch-mode dimension |
+| `cloud.service.name` | 1 | service | no | n/a | `service.target.name` | yes | Not set anywhere; static `openai` would identify invoked SaaS platform |
+| `gen_ai.request.model.id` | 2 | service | no | n/a | `gen_ai.request.model.id` | yes | Not set; natural ECS home for `openai.base.model` |
+| `event.action` | 1 | service | no | n/a | context-only | yes | Not set; natural home for derived API-surface label from `usage_object_type` |
+| `user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` | — | — | no | n/a | — | no | Not populated (`target_enhancement_packages.csv`: all `has_*_target` false) |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+
+### Gaps and mapping notes
+
+- **Metrics-only package:** All eight streams set `event.kind: metric` in ingest pipelines; no audit log stream exists. Actor/target ECS enhancement is low priority per `target_enhancement_packages.csv` classification **`none`**.
+- **No `event.action` mapping:** Vendor `openai.base.usage_object_type` names the consumed API surface (`organization.usage.completions.result`, etc.) but is not copied to ECS `event.action`. Recommended primary candidate per stream: derive a short label from `usage_object_type` or use `data_stream.dataset` suffix. On **`images`**, `openai.images.source` adds a sub-operation facet (`image.generation`, `image.edit`, `image.variation`) suitable as a secondary action dimension.
+- **No per-event action semantics:** Time-bucketed aggregates cannot represent individual API verbs (e.g. `ChatCompletion`, `CreateEmbedding`). Do not infer per-request `event.action` from metric counters.
+- **Zero ECS entity promotion:** Pipelines rename Usage API JSON into `openai.base.*` and stream-specific counters only. No `user.id` from `openai.base.user_id`, no `gen_ai.request.model.id` from `openai.base.model`, no static `cloud.provider` / `cloud.service.name`.
+- **Consumption dimensions ≠ audit principals:** `openai.base.user_id` and `openai.base.api_key_id` identify who drove usage within a bucket but are not authenticated caller records (no email, name, or session context). Treat as observability attribution, not SIEM actor identity.
+- **Aggregation targets, not per-request targets:** Model ID, image size/source, and batch flag are CEL `group_by` dimensions for time-bucketed metrics. They describe what was consumed in aggregate, not individual API invocations or content artifacts.
+- **Sparse actor dimensions on two streams:** `vector_stores` and `code_interpreter_sessions` group by `project_id` only; field schemas omit user, API key, and model. Lowest confidence for any actor or granular target mapping.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, no pipeline maps affected entities to `destination.user.*` or `destination.host.*`.
+- **Layer 1 SaaS gap:** `openai.base.usage_object_type` holds the API surface identifier but is not promoted to `cloud.service.name` or `service.target.*`. A static pipeline set of `cloud.service.name: openai` would close Layer 1 ECS coverage.
+
+### Per-stream notes
+
+#### completions, embeddings, moderations, audio_transcriptions, audio_speeches
+
+Model-usage streams share `openai.base.*` dimensions (`model`, `project_id`, `user_id`, `api_key_id`, `num_model_requests`, bucket timestamps). CEL `group_by` includes `project_id,user_id,api_key_id,model` (plus `batch` on completions). Pipelines rename API JSON into `openai.base.*` and stream-specific token/second/character counters; no ECS entity promotion. Actor is best interpreted as **user** + **api_key** credential pair; target is the named **model** (`service`) within a time bucket. **Action:** no `event.action`; primary candidate is `usage_object_type` for the API surface (e.g. `completions`, `embeddings`).
+
+#### images
+
+Same base actor dimensions plus image-specific target facets: `openai.images.source` (generation/edit/variation), `openai.images.size`, and `openai.images.images` count. CEL groups by `project_id,user_id,api_key_id,model,size,source`. **Action:** `openai.images.source` is the only stream with a sub-operation facet beyond `usage_object_type`.
+
+#### vector_stores, code_interpreter_sessions
+
+Project-scoped platform usage without user, API key, or model breakdown in field definitions or samples. CEL `group_by: ["project_id"]` only. Target is aggregate storage (`usage_bytes`) or session counts (`sessions`) at org/project level. No actor identity in schema or samples. **Action:** `usage_object_type` only; no sub-operation dimension.
+
+## Example Event Graph
+
+These examples come from `sample_event.json` fixtures across three OpenAI Usage API data streams (`completions`, `images`, `vector_stores`). All streams emit **audit-adjacent usage metrics** (`event.kind: metric`) — time-bucketed aggregates keyed by consumption dimensions, not per-request audit logs. There is no `event.action` in any fixture; action labels below are derived from vendor fields and are **not mapped to ECS today**.
+
+### Example 1: Completion model usage in a daily bucket
+
+**Stream:** `openai.completions` · **Fixture:** `packages/openai/data_stream/completions/sample_event.json`
+
+```
+User (user-dummy) → completions_usage → Foundation model (gpt-4o-mini-2024-07-18)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | user-dummy |
+| type | user |
+
+**Field sources:**
+- `id ← openai.base.user_id`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | completions_usage |
+| source_field | `openai.base.usage_object_type` |
+| source_value | `organization.usage.completions.result` |
+
+Derived label from vendor usage-object type; **not mapped to `event.action` today**.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | gpt-4o-mini-2024-07-18 |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `id ← openai.base.model`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: user-dummy"] --> E["completions_usage"]
+  E --> T["Target: gpt-4o-mini-2024-07-18"]
+```
+
+### Example 2: Image generation usage by model
+
+**Stream:** `openai.images` · **Fixture:** `packages/openai/data_stream/images/sample_event.json`
+
+```
+User (user-dummy) → image.generation → Foundation model (dall-e-3)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | user-dummy |
+| type | user |
+
+**Field sources:**
+- `id ← openai.base.user_id`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | image.generation |
+| source_field | `openai.images.source` |
+| source_value | `image.generation` |
+
+Sub-operation facet within the images usage bucket; **not mapped to `event.action` today** (parent API surface is `organization.usage.images.result` on `openai.base.usage_object_type`).
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | dall-e-3 |
+| name | dall-e-3 |
+| type | service |
+| sub_type | foundation_model |
+
+**Field sources:**
+- `id ← openai.base.model`
+- `name ← openai.base.model`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: user-dummy"] --> E["image.generation"]
+  E --> T["Target: dall-e-3"]
+```
+
+### Example 3: Project-scoped vector store storage aggregate
+
+**Stream:** `openai.vector_stores` · **Fixture:** `packages/openai/data_stream/vector_stores/sample_event.json`
+
+```
+Project scope (unscoped) → vector_stores_usage → Vector store storage (aggregate)
+```
+
+This stream groups by `project_id` only; fixtures carry no `user_id`, `api_key_id`, or per-store ID. The graph shows org/project-level storage consumption within a time bucket, not a single store operation.
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | general |
+| sub_type | project |
+
+**Field sources:**
+- `sub_type ← openai.base.project_id` (empty string in fixture — unscoped org-level bucket; no interactive principal)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | vector_stores_usage |
+| source_field | `openai.base.usage_object_type` |
+| source_value | `organization.usage.vector_stores.<dummy>` |
+
+Derived label from vendor usage-object type; **not mapped to `event.action` today**.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| type | general |
+| sub_type | vector_store |
+
+**Field sources:**
+- `sub_type ← openai.vector_stores.usage_bytes` (16 bytes in fixture — aggregate storage counter; no store entity ID in schema or sample)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: project (unscoped)"] --> E["vector_stores_usage"]
+  E --> T["Target: vector store storage"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `openai`, eight Usage API metric data streams with Tier A `sample_event.json` fixtures and ingest pipelines; no `*-expected.json` pipeline tests). Router: **`data_stream.dataset`** values `openai.{stream}` from `packages/openai/data_stream/*/manifest.yml` (confirmed in all eight `sample_event.json` files). All streams set `event.kind: metric`. Pass 4 is **fill-gaps-only**: detection flags run first; mapped columns use **column-level** **5-arg** / **7-arg** / **9-arg** `CASE(<col> IS NOT NULL, <col>, <boolean guard>, <fallback>, null)` — never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_vendor_field, null)` (bare field parses as a **condition**) or `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so one populated sibling (e.g. `entity.id` from `api_key_id` or `service.target.id` from a future ingest promotion) does not block `user.id` / `service.target.name` / `entity.target.sub_type` fallbacks on empty columns (Pass 4 §10). **Pass 4 (CASE syntax):** all fenced `CASE` use odd-arity defaults (`null`) with `(condition, value)` pairs only. Ingest does not populate ECS `user.*`, `*.target.*`, or `event.action` today — fallbacks promote **`openai.base.*`** consumption dimensions per Pass 2/3 (user + API key actor; foundation **model** as `service.target.*`; platform literal on project-only streams). **`vector_stores`** and **`code_interpreter_sessions`** group by `project_id` only — no `user_id` / `api_key_id` / `model` in schema or samples. **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` identity fallbacks; vendor paths (`openai.base.user_id`, `openai.base.model`, etc.) differ from output columns. Treat extraction as **audit-adjacent consumption attribution** (time-bucket aggregates), not per-request audit logs.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `openai.completions` | Completion usage metrics | user, general (api_key) | service (model) | partial |
+| `openai.embeddings` | Embedding usage metrics | user, general (api_key) | service (model) | partial |
+| `openai.moderations` | Moderation usage metrics | user, general (api_key) | service (model) | partial |
+| `openai.images` | Image usage metrics | user, general (api_key) | service (model) | partial |
+| `openai.audio_transcriptions` | Transcription usage metrics | user, general (api_key) | service (model) | partial |
+| `openai.audio_speeches` | TTS usage metrics | user, general (api_key) | service (model) | partial |
+| `openai.vector_stores` | Storage usage metrics | general (project) | general (vector_store) | partial |
+| `openai.code_interpreter_sessions` | Session count metrics | general (project) | general (code_interpreter) | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `openai.base.user_id` | `data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.user_id IS NOT NULL` | moderate | **column-level preserve** (`user.id IS NOT NULL`); **vendor fallback** — consumption dimension, not audit principal |
+| `entity.id` | `openai.base.api_key_id` | same six datasets AND `openai.base.api_key_id IS NOT NULL` | moderate | **column-level preserve** (`entity.id IS NOT NULL`); **vendor fallback** — API credential |
+| `entity.type` | literal `"api_key"` | same six datasets AND `openai.base.api_key_id IS NOT NULL` | moderate | **column-level preserve** (`entity.type IS NOT NULL`); **semantic literal** |
+| `entity.id` | `openai.base.project_id` | `data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions") AND openai.base.project_id IS NOT NULL AND openai.base.project_id != ""` | low | **column-level preserve**; **vendor fallback** — scoped project; empty `project_id` in fixtures = org-level bucket |
+| `entity.type` | literal `"project"` | `data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions")` | low | **column-level preserve**; **semantic literal** — Pass 3 Example 3 actor |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.id` | `openai.base.model` | six model-usage datasets AND `openai.base.model IS NOT NULL` | high | **column-level preserve** (`service.target.id IS NOT NULL`); **vendor fallback** — foundation model (Pass 3 Examples 1–2) |
+| `service.target.name` | `openai.base.model` | same | high | **column-level preserve** (`service.target.name IS NOT NULL`); **vendor fallback** |
+| `service.target.name` | literal `"OpenAI API"` | `STARTS_WITH(data_stream.dataset, "openai.")` | low | **column-level preserve**; **semantic literal** — Layer 1 platform when no model dimension |
+| `entity.target.sub_type` | literal `"vector_store"` | `data_stream.dataset == "openai.vector_stores"` | moderate | **column-level preserve** (`entity.target.sub_type IS NOT NULL`); aggregate storage; no per-store ID |
+| `entity.target.sub_type` | literal `"code_interpreter_session"` | `data_stream.dataset == "openai.code_interpreter_sessions"` | moderate | **column-level preserve**; session-count aggregate |
+| `entity.target.sub_type` | literal `"foundation_model"` | six model-usage datasets AND `openai.base.model IS NOT NULL` | moderate | **column-level preserve**; Pass 3 model target sub_type |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `openai.images.source` | `data_stream.dataset == "openai.images" AND openai.images.source IS NOT NULL` | moderate | **column-level preserve** (`event.action IS NOT NULL`); **vendor fallback** — sub-operation facet (Pass 3 Example 2: `image.generation`) |
+| `event.action` | literal `"completions"` | `data_stream.dataset == "openai.completions"` | moderate | **semantic literal** — dataset suffix; aligns with Pass 2 `usage_object_type` candidate |
+| `event.action` | literal `"embeddings"` | `data_stream.dataset == "openai.embeddings"` | moderate | same pattern |
+| `event.action` | literal `"moderations"` | `data_stream.dataset == "openai.moderations"` | moderate | same pattern |
+| `event.action` | literal `"images"` | `data_stream.dataset == "openai.images" AND openai.images.source IS NULL` | moderate | API surface when no `source` facet |
+| `event.action` | literal `"audio_transcriptions"` | `data_stream.dataset == "openai.audio_transcriptions"` | moderate | same pattern |
+| `event.action` | literal `"audio_speeches"` | `data_stream.dataset == "openai.audio_speeches"` | moderate | same pattern |
+| `event.action` | literal `"vector_stores"` | `data_stream.dataset == "openai.vector_stores"` | moderate | same pattern |
+| `event.action` | literal `"code_interpreter_sessions"` | `data_stream.dataset == "openai.code_interpreter_sessions"` | moderate | same pattern |
+
+`openai.base.usage_object_type` (e.g. `organization.usage.completions.result`) is the primary Pass 2 vendor action candidate but requires string parsing in ES|QL; **`data_stream.dataset` suffix literals** are used instead (fixture-verified on all eight samples).
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Predicate note:** At ingest today, `actor_exists` / `target_exists` / `action_exists` are typically false on OpenAI usage events — fallbacks apply without overwriting populated ECS fields if pipelines add `user.*` / `*.target.*` / `event.action` later. **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so `entity.id` from `api_key_id` does not block `user.id` ← `openai.base.user_id`, and `service.target.id` alone does not block `service.target.name` ← `openai.base.model` or `"OpenAI API"` (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.id IS NOT NULL, user.id, openai.base.user_id, null)` (4 args — `openai.base.user_id` is a **condition**). Wrong: `CASE(actor_exists, user.id, openai.base.user_id, null)` (same). Right: **5-arg** `CASE(user.id IS NOT NULL, user.id, data_stream.dataset IN ("openai.completions", …) AND openai.base.user_id IS NOT NULL, openai.base.user_id, null)`. **7-arg** when multiple fallbacks apply (e.g. `entity.id` api_key vs project). Do not use `CASE(action_exists, event.action, …)` — use `event.action IS NOT NULL` as the preserve branch.
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.user_id IS NOT NULL, openai.base.user_id,
+    null
+  ),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL, openai.base.api_key_id,
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions") AND openai.base.project_id IS NOT NULL AND openai.base.project_id != "", openai.base.project_id,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL, "api_key",
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions"), "project",
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "openai.images" AND openai.images.source IS NOT NULL, openai.images.source,
+    data_stream.dataset == "openai.completions", "completions",
+    data_stream.dataset == "openai.embeddings", "embeddings",
+    data_stream.dataset == "openai.moderations", "moderations",
+    data_stream.dataset == "openai.images", "images",
+    data_stream.dataset == "openai.audio_transcriptions", "audio_transcriptions",
+    data_stream.dataset == "openai.audio_speeches", "audio_speeches",
+    data_stream.dataset == "openai.vector_stores", "vector_stores",
+    data_stream.dataset == "openai.code_interpreter_sessions", "code_interpreter_sessions",
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, openai.base.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, openai.base.model,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches", "openai.vector_stores", "openai.code_interpreter_sessions"), "OpenAI API",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "openai.vector_stores", "vector_store",
+    data_stream.dataset == "openai.code_interpreter_sessions", "code_interpreter_session",
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, "foundation_model",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*, metrics-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.user_id IS NOT NULL, openai.base.user_id,
+    null
+  ),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL, openai.base.api_key_id,
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions") AND openai.base.project_id IS NOT NULL AND openai.base.project_id != "", openai.base.project_id,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.api_key_id IS NOT NULL, "api_key",
+    data_stream.dataset IN ("openai.vector_stores", "openai.code_interpreter_sessions"), "project",
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "openai.images" AND openai.images.source IS NOT NULL, openai.images.source,
+    data_stream.dataset == "openai.completions", "completions",
+    data_stream.dataset == "openai.embeddings", "embeddings",
+    data_stream.dataset == "openai.moderations", "moderations",
+    data_stream.dataset == "openai.images", "images",
+    data_stream.dataset == "openai.audio_transcriptions", "audio_transcriptions",
+    data_stream.dataset == "openai.audio_speeches", "audio_speeches",
+    data_stream.dataset == "openai.vector_stores", "vector_stores",
+    data_stream.dataset == "openai.code_interpreter_sessions", "code_interpreter_sessions",
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, openai.base.model,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, openai.base.model,
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches", "openai.vector_stores", "openai.code_interpreter_sessions"), "OpenAI API",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "openai.vector_stores", "vector_store",
+    data_stream.dataset == "openai.code_interpreter_sessions", "code_interpreter_session",
+    data_stream.dataset IN ("openai.completions", "openai.embeddings", "openai.moderations", "openai.images", "openai.audio_transcriptions", "openai.audio_speeches") AND openai.base.model IS NOT NULL, "foundation_model",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.kind, event.action, user.id, entity.id, entity.type, service.target.id, service.target.name, entity.target.sub_type, openai.base.num_model_requests
+```
+
+### Streams excluded
+
+None — all eight streams receive **partial** consumption attribution. None are audit-grade per-event Actor → action → Target pairs (`event.kind: metric` on every stream).
+
+### Gaps and limitations
+
+- **Pass 4 tautology cleanup (§10)** — column-level `IS NOT NULL` preserve on all mapped columns; no `CASE(col, col, …)`; removed duplicate optional-classification `EVAL` (logic lives in actor/target blocks); `event.action` uses `event.action IS NOT NULL` preserve with `openai.images.source` / dataset-suffix literals only — not `CASE(action_exists, event.action, …, event.action, null)`.
+- **Pass 4 CASE syntax** — combined actor/action/target blocks and the full pipeline fragment use odd-arity `CASE` (condition/value pairs + trailing `null`); column-level **5-arg** / **7-arg** / **9-arg** / **13-arg** preserve (`<col> IS NOT NULL` first branch). Never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_vendor_field, null)` or `CASE(actor_exists|target_exists|action_exists, <col>, …)` where a bare field parses as a boolean condition. `service.target.name` uses **7-arg** (model fallback, then dataset-`IN` platform literal).
+- **Unscoped `FROM logs-*, metrics-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset IN (…)`), not a top-level `WHERE`.
+- **Metrics-only** — time-bucket aggregates cannot represent individual API verbs (`ChatCompletion`, etc.); `event.action` literals name the API surface or image sub-facet, not a single request.
+- **No ECS promotion at ingest** — `openai.base.user_id`, `openai.base.model`, and `openai.base.usage_object_type` require ES|QL vendor fallbacks; ingest-time mapping remains the preferred long-term fix (Pass 2 enhancement candidates).
+- **`vector_stores` / `code_interpreter_sessions`** — no `user_id`, `api_key_id`, or `model` in field schemas or samples; actor is project scope only; empty `project_id` yields no `entity.id`.
+- **`user.email` / `user.name` / `user.domain`** — not exposed by Usage API dimensions; intentionally omitted.
+- **`openai.base.usage_object_type`** — fixture-verified on all streams but not parsed into `event.action` in ES|QL (use dataset suffix literals or future `REPLACE`/`SPLIT` if needed).
+- **`openai.images.source`** — mapped to `event.action` when present, not to target columns (Pass 3 sub-operation vs model target).
+- **Per-request content targets** (prompts, files, store IDs, sessions) — not exposed by Usage API; intentionally omitted.
+- **Target-fields audit `none`** — no `destination.*` or ingest `*.target.*`; query-time promotion is observability attribution only.
diff --git a/dev/domain/p1/osquery.md b/dev/domain/p1/osquery.md
new file mode 100644
index 00000000000..05c6e031273
--- /dev/null
+++ b/dev/domain/p1/osquery.md
@@ -0,0 +1,367 @@
+# osquery
+
+## Product Domain (osquery endpoint visibility)
+
+osquery is an open-source endpoint visibility platform that exposes operating system state through a SQL query interface. The `osqueryd` daemon runs scheduled or ad hoc queries against tables backed by live OS APIs—processes, users, files, network sockets, launch agents, kernel modules, and hundreds of other artifacts on Linux, macOS, and Windows. Security and IT teams deploy osquery to answer inventory, compliance, threat-hunting, and configuration-drift questions without installing separate agents for each use case.
+
+Query results are written as structured JSON logs by osquery's filesystem logging driver. Organizations typically organize queries into packs (for example compliance baselines, monitoring schedules, or rootkit detection) and rely on differential actions (`added`, `removed`, `changed`) to track state changes over time. Because the schema is query-driven, the same integration can ingest everything from asset inventory to CIS benchmark checks to custom hunt queries.
+
+The Elastic **Osquery Logs** integration targets this endpoint-visibility slice of the security domain. Elastic Agent tailing `osqueryd` result logs on each host, decodes the JSON, and normalizes common column values into ECS fields while preserving the full query payload under `osquery.result.*`. Kibana dashboards and saved searches support compliance and operational review. Collection is agent-based and scoped to hosts where osquery is installed and configured; it complements log, metrics, and EDR integrations by providing deep, SQL-addressable host state on demand.
+
+## Data Collected (brief)
+
+Logs only (no metrics or alerts). One data stream:
+
+| Data stream | Description |
+|---|---|
+| **result** | JSON result logs from `osqueryd` (default path `/var/log/osquery/osqueryd.results.log*`), collected via Elastic Agent **logfile** input |
+
+Each event includes the query name, differential action, collection timestamps, host identifier, and query-specific row data in `osquery.result.columns.*`. Decorations such as `host_uuid` and `username` are mapped under `osquery.result.decorations.*`. The ingest pipeline promotes common osquery columns to ECS where applicable (`file.*`, `process.*`, `user.*`, `url.*`, `rule.name`, `related.*`). Events are tagged `osquery` and indexed as `osquery.result`.
+
+## Expected Audit Log Entities
+
+The **Osquery Logs** integration ingests **scheduled query result logs**, not administrative audit records. The single **`result`** stream is inventory and compliance telemetry—query rows and differential snapshots from local OS tables, not "who did what to whom." Actor/target semantics below describe **collection context and query-result subjects** useful for correlation, not principals or objects from an audit trail. For authentication, privilege use, or kernel audit trails, use System, Auditd, Sysmon, or EDR integrations. Evidence is from `data_stream/result/sample_event.json`, `data_stream/result/_dev/test/pipeline/test-osquery.log` (2,213 events across 25 query packs), `data_stream/result/elasticsearch/ingest_pipeline/default.yml`, `data_stream/result/fields/fields.yml`, and `data_stream/result/fields/ecs.yml`. No ECS `*.target.*` fields are declared or populated. The target-fields audit classified this package as **`none`** for actor/target enhancement (`out/target_enhancement_packages.csv`). `osquery` does not appear in `out/destination_identity_hits.csv` (no `destination.user.*` / `destination.host.*` usage).
+
+**`event.action` is populated** on every result row. The ingest pipeline copies osquery's differential action label from `osquery.result.action` to `event.action` (`default.yml` L70–73). Fixtures show `added` (`sample_event.json`; 2,209 of 2,213 test-log events) and `removed` (4 events, e.g. `pack_it-compliance_mounts` on `/private/var/vm`). Osquery also supports `changed` (`fields.yml`) but no `changed` rows appear in the test fixture. These values describe **query-result state deltas** (row appeared/disappeared/changed between scheduled runs), not security audit verbs such as login, file-modify, or policy-update. `event.type` is statically set to `[info]` (`default.yml` L68–69) — event classification, not an operation name. Query identity is mapped separately to `rule.name` ← `osquery.result.name`.
+
+### Event action (semantic)
+
+Osquery differential logging records **how a query row changed** since the last execution, not who performed an OS action. The action vocabulary is osquery-native: `added`, `removed`, and (when enabled) `changed`.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `added` | detection | high | `sample_event.json` (`event.action: added`); 2,209/`"action":"added"` rows in `test-osquery.log` | **`result`** — row newly present in query output (compliance hit, new mount, schedule stat, etc.) |
+| `removed` | detection | high | 4× `"action":"removed"` in `test-osquery.log` (e.g. `pack_it-compliance_mounts`, path `/private/var/vm`) | **`result`** — row no longer returned by query |
+| `changed` | detection | moderate | Documented in `fields.yml` (`osquery.result.action`); osquery differential spec | **`result`** — row value changed between runs; **not present** in test fixture |
+
+There is no per-event security or administrative verb. Pair with `rule.name` (query/pack name) and `osquery.result.columns.*` to interpret *what* changed, not *who* changed it.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `osquery.result.action` | yes | yes | `added`, `removed` | no | Vendor source; retained under `osquery.result.*`; copied by `default.yml` L70–73 |
+| `event.action` | yes | partial | `added` (`sample_event.json`); `removed` (test log) | no | Correct for osquery differential semantics; **not** an audit-grade operation verb |
+| `event.type` | no | n/a | `[info]` (static) | no | `default.yml` L68–69 — ECS event type, not action |
+| `event.kind` | no | n/a | `event` (static) | no | `default.yml` L65–66 — document kind, not action |
+| `osquery.result.name` | no | n/a | e.g. `pack_osquery-monitoring_schedule` | no | Mapped to `rule.name` (`default.yml` L157–158) — identifies query/pack, not differential verb |
+| `rule.name` | no | n/a | — | no | Query context field; correctly separate from `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `result` | yes | yes | `osquery.result.action` | high | `sample_event.json`: `added`; `default.yml` L70–73; `test-osquery.log`: `added` (2,209), `removed` (4) |
+
+No `event.action` enhancement recommended — mapping is complete for osquery differential actions. Do not substitute `rule.name` or `event.type` for `event.action`.
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Monitored endpoint | host | — | high | `osquery.result.decorations.host_uuid` → `host.id`; `osquery.result.host_identifier` → `host.hostname`; `related.hosts` (`default.yml`; `ubuntu-xenial` / `192-168-0-4.rdsnet.ro` in test log) | **`result`** — host where `osqueryd` runs; implicit collection scope on every event |
+| Interactive user (decoration) | user | — | high | `osquery.result.decorations.username` → `user.name`, `related.user` (`default.yml`; `ubuntu`, `tsg` in all 2,213 test events) | **`result`** — logged-in or configured decoration user; not proof of who triggered the query |
+| osquery daemon process | general | process | moderate | `osquery.result.decorations.name`/`path`/`pid` (`fields.yml`; `osqueryd`, `/usr/bin/osqueryd`, `10917` on `system_info` query in test log) | **`result`** — optional decoration when enabled; **not** mapped to ECS `process.*` |
+| Column-level process name | general | process | moderate | `osquery.result.columns.process` → `process.name` (`default.yml`; `pack_it-compliance_alf_explicit_auths`, `pack_it-compliance_alf_services`) | **`result`** — process named in query row (e.g. ALF exception auth); only `process.name` promoted |
+| Column-level account owner | user | — | low | `osquery.result.columns.username`, `uid`, `gid`, `groupname`, `user_uuid` in `fields.yml`; present on browser-plugin, extension, and disk-encryption rows in test log | **`result`** — file/plugin owner from osquery table; **not** mapped to ECS `user.*` (only decoration username is) |
+| Scheduled query / pack | general | detection-rule | high | `osquery.result.name` → `rule.name` (e.g. `pack_osquery-monitoring_schedule`, `pack_it-compliance_mounts` in test log) | **`result`** — identifies which query produced the row; compliance or hunt context, not a human actor |
+| Elastic Agent collector | service | — | low | `agent.*`, `elastic_agent.*` in `sample_event.json` | **`result`** — log shipper; not an osquery principal |
+
+**No audit actor identity:** osquery results carry no administrator, API caller, or session principal. Differential `event.action` values (see Event action above) describe query-result state, not who triggered an OS change.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `host.id` | Collection host UUID | yes | yes | high | `default.yml` set from `osquery.result.decorations.host_uuid`; `sample_event.json` |
+| `host.hostname` | osquery host identifier | yes | yes | high | `default.yml` set from `osquery.result.host_identifier`; `sample_event.json` |
+| `host.name`, `host.ip`, `host.os.*` | Agent-enriched host metadata | yes | n/a | high | `sample_event.json`, `agent.yml` — Elastic Agent scope, not osquery decoration |
+| `user.name` | Decoration username | yes | partial | high | `default.yml` from `osquery.result.decorations.username` — configured/logged-in user context, not query trigger |
+| `related.user` | Enrichment array | yes | yes | high | `default.yml` append from `user.name` |
+| `related.hosts` | Enrichment array | yes | yes | high | `default.yml` append from `host.hostname` |
+| `process.name` | Column process name | yes | partial | moderate | `default.yml` from `osquery.result.columns.process` — row subject, not daemon actor |
+| `rule.name` | Query/pack name | yes | partial | high | `default.yml` from `osquery.result.name` — detection/compliance context, not ECS rule engine |
+| `osquery.result.decorations.name`/`path`/`pid` | osqueryd process decoration | yes (vendor) | n/a | moderate | `fields.yml`; present on `system_info` in test log; no ECS `process.*` promotion |
+| `osquery.result.decorations.username` | Canonical decoration user | yes (vendor) | yes | high | Source for `user.name`; retained under vendor namespace |
+| `osquery.result.host_identifier` | Canonical host identifier string | yes (vendor) | yes | high | Source for `host.hostname`; retained under vendor namespace |
+| `osquery.result.columns.username`, `uid`, `gid`, `groupname`, `user_uuid` | Row-level account owner | yes (vendor) | n/a | moderate | `fields.yml`; query-dependent; no ECS user mapping |
+| `agent.id`, `agent.name` | Elastic Agent collector | yes | n/a | low | `sample_event.json` — shipper, not event actor |
+| `cloud.*`, `container.*` | Deployment scope | yes | n/a | moderate | `agent.yml`; agent metadata when present |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 2 — Resource / object | File on disk | File path / inode | general | file | high | `osquery.result.columns.path`/`filename`/`directory`/`inode`/`mode`/`size`/`atime`/`mtime`/`ctime` → ECS `file.*` (`default.yml`, `fields.yml`; majority of file-column rows, e.g. `pack_ossec-rootkit_*`, `pack_it-compliance_keychain_items`) | **`result`** — primary subject for rootkit hunts and compliance file checks |
+| 2 — Resource / object | Installed software package | Debian/Homebrew/macOS package | general | software-package | high | `columns.name`, `version`, `arch`, `source`, `revision` (`pack_it-compliance_deb_packages`); `path`/`version` (`pack_it-compliance_homebrew_packages`); `package_id`/`installer_name` (`pack_it-compliance_package_receipts`) | **`result`** — package inventory; no ECS `package.*` promotion |
+| 2 — Resource / object | macOS application / bundle | Installed application | general | application | high | `bundle_identifier`, `bundle_name`, `display_name`, `bundle_executable`, `bundle_version` (`pack_it-compliance_installed_applications` in test log) | **`result`** — installed app inventory |
+| 2 — Resource / object | Browser plugin / extension | Browser add-on | general | browser-extension | high | `identifier`, `name`, `path`, `author`, `update_url` (`pack_it-compliance_browser_plugins`, `pack_it-compliance_chrome_extensions`, `pack_it-compliance_firefox_addons`) | **`result`** — extension inventory |
+| 2 — Resource / object | Launch daemon / agent | launchd item | service | launchd | high | `label`, `program`, `program_arguments`, `path`, `run_at_load`, `start_interval` (`pack_it-compliance_launchd`) | **`result`** — persistence and startup item visibility |
+| 2 — Resource / object | Kernel module | Loaded module | general | kernel-module | moderate | `name`, `address`, `size`, `status`, `used_by` (`pack_it-compliance_kernel_modules`) | **`result`** — loaded module snapshot |
+| 2 — Resource / object | Filesystem mount | Mount point | general | mount | moderate | `device`, `path`, `type`, block/inode counters (`pack_it-compliance_mounts`; `removed` action on `/private/var/vm` in test log) | **`result`** — mount-point inventory |
+| 2 — Resource / object | USB device | Attached hardware | general | usb-device | moderate | `vendor`, `model`, `serial`, `usb_address`, `usb_port`, `class` (`pack_it-compliance_usb_devices`) | **`result`** — attached hardware |
+| 2 — Resource / object | Keychain item | macOS keychain entry | general | credential-store | moderate | `label`, `path`, `type`, `created`, `modified` (`pack_it-compliance_keychain_items`) | **`result`** — keychain inventory |
+| 2 — Resource / object | Disk encryption volume | Encrypted volume | general | encrypted-volume | moderate | `uuid`, `encrypted`, `name`, `type`, `uid`, `user_uuid` (`pack_it-compliance_disk_encryption`) | **`result`** — FileVault/volume encryption state |
+| 2 — Resource / object | Firewall / SIP posture | Host security config | general | security-config | moderate | ALF: `global_state`, `stealth_enabled`, `allow_signed_enabled` (`pack_it-compliance_alf`); SIP: `config_flag`, `enabled` (`pack_it-compliance_sip_config`); ALF exceptions: `path`, `state` | **`result`** — host security configuration, not a network peer |
+| 2 — Resource / object | Monitored endpoint (attribute snapshot) | Local host | host | — | moderate | `cpu_brand`, `physical_memory`, `hostname` (`system_info`); `build`, `version`, `platform` (`pack_it-compliance_os_version`) | **`result`** — endpoint attribute snapshot; measured object, not audit target of an action |
+| 3 — Content / artifact | Remote URL (extension source) | Download/update URL | general | url | low | `columns.source_url` → `url.full` when value is not the string `null` (`default.yml`; URL rows in test log) | **`result`** — browser-addon download/update URL only |
+| 3 — Content / artifact | Query schedule row (monitoring) | Per-query execution stats | general | query-schedule | moderate | `columns.name` (sub-query), `executions`, `interval`, `last_executed`, `wall_time` (`pack_osquery-monitoring_schedule`; matches `sample_event.json`) | **`result`** — meta-artifact: osquery pack execution stats, not an OS object |
+
+**No meaningful audit target:** Differential `event.action` (`added`/`removed`/`changed`) and static `event.type: info` describe **state appearance/disappearance** in query results, not authorization outcomes. Layer 1 (platform/cloud service) does not apply—on-host SQL inventory, not a SaaS API invocation.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `file.path`, `file.name`, `file.directory`, `file.inode`, `file.mode`, `file.size`, `file.type`, `file.uid`, `file.gid`, `file.accessed`, `file.created`, `file.mtime` | 2 | general | yes | yes | context-only | no | `default.yml` from `osquery.result.columns.*`; `ecs.yml`; file-column rows in test log |
+| `process.name` | 2 | general | yes | partial | context-only | no | `default.yml` from `columns.process` — row subject (ALF auth), not `process.target.*` |
+| `url.full` | 3 | general | yes | yes | context-only | no | `default.yml` from `columns.source_url` when not `null` |
+| `rule.name` | 3 | general | yes | partial | context-only | no | `default.yml` from `osquery.result.name` — query/pack identifier |
+| `host.hostname`, `host.id` | 2 | host | yes | n/a | context-only | no | Measurement subject (monitored endpoint), not `host.target.*` |
+| `osquery.result.columns.*` (unmapped) | 2 | varies | yes (vendor) | n/a | context-only | no | Full query row retained; schema varies by SQL — packages, apps, launchd, mounts, USB, keychain, etc. (`fields.yml`) |
+| `event.action` | 3 | general | yes | partial | context-only | no | `default.yml` L70–73 from `osquery.result.action` — differential verb, not audit target |
+| `osquery.result.action` | 3 | general | yes (vendor) | yes | context-only | no | Canonical differential label; source for `event.action` |
+| `osquery.result.name` | 3 | general | yes (vendor) | n/a | context-only | no | Canonical query name; also mapped to `rule.name` |
+
+No `user.target.*`, `host.target.*`, `service.target.*`, `entity.target.*`, or `destination.*` identity fields anywhere in the package.
+
+### Gaps and mapping notes
+
+- **`event.action` mapped and semantically correct for osquery:** `osquery.result.action` → `event.action` (`default.yml` L70–73). Values are differential state labels (`added`, `removed`, `changed`), not security audit verbs — no further mapping needed; do not overload with `rule.name` or query pack names.
+- **Inventory telemetry, not audit events:** Query result logs report OS state snapshots and differential changes. No administrator, API caller, or authorization outcome is recorded.
+- **Fixed ECS promotion subset:** Pipeline maps only file, decoration user/host, column process name, source URL, and query name. Most row identity (`columns.username`, `uid`, `bundle_identifier`, `label`, etc.) stays vendor-only under `osquery.result.columns.*`.
+- **`user.name` from decoration only:** Column-level account owners are not promoted to ECS `user.*`; only `osquery.result.decorations.username` maps to `user.name`. Do not treat decoration user as the actor who triggered the query.
+- **`file.uid`/`file.gid` vs user identity:** File ownership columns map to `file.uid`/`file.gid`, not `user.id` — correct for file metadata, not account target identity.
+- **`process.name` ambiguity:** Maps from row `columns.process` (ALF exception subject) and is not the osqueryd daemon (`decorations.name`/`pid` stay vendor-only).
+- **No de-facto targets under `destination.*`:** Package does not use `destination.user.*` or `destination.host.*`; aligns with `destination_identity_hits.csv` absence.
+- **No ECS `*.target.*` fields:** Aligns with target-fields audit classification **`none`**. Enhancement to official target buckets is not applicable without log-based audit semantics.
+- **Pair with audit integrations:** System auth logs, Auditd, Sysmon, or Elastic Defend for audit-grade actor/target coverage.
+
+### Per-stream notes
+
+#### result
+
+Single log stream tailing `osqueryd` JSON result logs. Every event includes `osquery.result.name` (query/pack), `osquery.result.action` → `event.action` (`added`/`removed`/`changed`), and host decorations. The ingest pipeline copies the raw JSON under `osquery.result.*`, promotes a **fixed subset** of file/process/user/url columns to ECS, and sets `rule.name` from the query name. Target identity is **entirely query-dependent**: IT-compliance packs in the test fixture cover macOS posture (ALF, SIP, launchd, keychain, apps, extensions, mounts, USB); rootkit packs emit file-path hits; `pack_osquery-monitoring_schedule` reports per-query execution metrics. Because schemas vary by SQL, most row fields stay vendor-namespaced—pair with `event.action` + `rule.name` filters or custom ingest for richer ECS entity mapping.
+
+## Example Event Graph
+
+Examples below come from the single **`result`** stream. These are scheduled query result logs (inventory and compliance telemetry), not administrative audit records. `event.action` values (`added`, `removed`) describe differential state in query output, not who performed an OS change.
+
+### Example 1: Query schedule execution stats
+
+**Stream:** `osquery.result` · **Fixture:** `packages/osquery/data_stream/result/sample_event.json`
+
+```
+Monitored host (ubuntu-xenial) → added → query schedule stats row (pack_ossec-rootkit_55808.a_worm)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 72E1287B-D1BC-4FC6-B9D8-64F4352776A9 |
+| name | ubuntu-xenial |
+| type | host |
+
+**Field sources:**
+- `id ← osquery.result.decorations.host_uuid` (mapped to `host.id`)
+- `name ← osquery.result.host_identifier` (mapped to `host.hostname`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | added |
+| source_field | `event.action` |
+| source_value | added |
+
+Differential label — the host did not perform an add operation; the row newly appeared in scheduled query output (`osquery.result.name`: `pack_osquery-monitoring_schedule`).
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | pack_ossec-rootkit_55808.a_worm |
+| name | pack_ossec-rootkit_55808.a_worm |
+| type | general |
+| sub_type | query-schedule |
+
+**Field sources:**
+- `id ← osquery.result.columns.name` (sub-query name within `pack_osquery-monitoring_schedule`)
+- `name ← osquery.result.columns.name`
+- Query pack context ← `rule.name` / `osquery.result.name` (`pack_osquery-monitoring_schedule`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: ubuntu-xenial"] --> E["added"]
+  E --> T["Target: schedule stats row"]
+```
+
+### Example 2: Rootkit hunt file row appeared
+
+**Stream:** `osquery.result` · **Fixture:** `packages/osquery/data_stream/result/_dev/test/pipeline/test-osquery.log` (line 61, `pack_ossec-rootkit_adore_worm`)
+
+```
+Monitored host (ubuntu-xenial) → added → file /usr/bin/adore
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 72E1287B-D1BC-4FC6-B9D8-64F4352776A9 |
+| name | ubuntu-xenial |
+| type | host |
+
+**Field sources:**
+- `id ← osquery.result.decorations.host_uuid`
+- `name ← osquery.result.host_identifier`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | added |
+| source_field | `event.action` |
+| source_value | added |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | /usr/bin/adore |
+| name | adore |
+| type | general |
+| sub_type | file |
+
+**Field sources:**
+- `id ← osquery.result.columns.path` (mapped to `file.path`)
+- `name ← osquery.result.columns.filename` (mapped to `file.name`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: ubuntu-xenial"] --> E["added"]
+  E --> T["Target: /usr/bin/adore"]
+```
+
+### Example 3: Mount point no longer in query results
+
+**Stream:** `osquery.result` · **Fixture:** `packages/osquery/data_stream/result/_dev/test/pipeline/test-osquery.log` (line 1, `pack_it-compliance_mounts`)
+
+```
+Monitored host (192-168-0-4.rdsnet.ro) → removed → mount /private/var/vm
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 4AB2906D-5516-5794-AF54-86D1D7F533F3 |
+| name | 192-168-0-4.rdsnet.ro |
+| type | host |
+
+**Field sources:**
+- `id ← osquery.result.decorations.host_uuid`
+- `name ← osquery.result.host_identifier`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | removed |
+| source_field | `event.action` |
+| source_value | removed |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | /private/var/vm |
+| name | /private/var/vm |
+| type | general |
+| sub_type | mount |
+
+**Field sources:**
+- `id ← osquery.result.columns.path` (mapped to `file.path`)
+- `name ← osquery.result.columns.path`
+- `sub_type ← rule.name` / query pack `pack_it-compliance_mounts` (mount inventory)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 192-168-0-4.rdsnet.ro"] --> E["removed"]
+  E --> T["Target: /private/var/vm"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, single `data_stream/result` with Tier A fixtures: `sample_event.json`, `test-osquery.log` / `test-osquery.log-expected.json`, ingest pipeline `default.yml`). Router: **`data_stream.dataset == "osquery.result"`** per `sample_event.json`; scope with `FROM logs-osquery-*` or unscoped `FROM logs-*`. Pass 4 is **fill-gaps-only**, but this integration ingests **scheduled query result logs** (inventory, compliance, hunt telemetry), not administrative audit records. Cross-package queries do not use `WHERE data_stream.dataset` — embed `data_stream.dataset == "osquery.result"` in every CASE fallback branch when EVAL is added. `event.action` is populated at ingest from `osquery.result.action` (`added` / `removed` / `changed`) — differential row state, not security verbs. No ECS `*.target.*` at collection (target-fields audit **`none`**). Pass 3 confirms **no per-event Actor → action → Target audit graph** — collection host and query-row subjects are correlation context only. Package does not use `destination.*` identity fields (`destination_identity_hits.csv` absence). **No preserve-first `EVAL` blocks are produced** — document `osquery.result` under **Streams excluded** rather than promoting decoration `user.name`, ingest `file.*`, or vendor `osquery.result.columns.*` to audit `user.target.*` / `entity.target.*`. **Pass 4 tautology cleanup (§10):** ingest-populated `host.id`, `host.hostname`, `user.name`, `event.action`, and query-dependent `file.*` / `process.name` have no alternate query-time source (vendor paths renamed or retained under `osquery.result.*` only) — omit from actor/target/action `EVAL`; do not emit `CASE(actor_exists, col, …, col, null)`, `CASE(action_exists, event.action, …, event.action, null)`, or `CASE(target_exists, file.path, …, file.path, null)` / `entity.target.id` ← `file.path` mislabels row context as audit target.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `osquery.result` | query result / inventory | — | — | none |
+
+### Field mapping plan
+
+No actor or target destination columns are populated. Audit-adjacent fields on `osquery.result` describe collection scope (`host.id`, `host.hostname`), decoration context (`user.name`), differential verbs (`event.action`), or query-row subjects (`file.*`, `process.name`, `url.full`, `rule.name`) — not principals or acted-upon resources in an audit trail (Pass 2/3). Columns below are **ingest-only — omit from ES|QL** (no alternate indexed source for audit extraction; fallback would repeat the same column per §10).
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit actor on `osquery.result`; `host.*` is collection scope |
+| `host.id` | `osquery.result.decorations.host_uuid` → `host.id` | `data_stream.dataset == "osquery.result"` | high | **ingest-only — no ES\|QL** — `default.yml` L144–146; `sample_event.json`; omit — `CASE(actor_exists, host.id, …, host.id, null)` is identity no-op |
+| `host.hostname` | `osquery.result.host_identifier` → `host.hostname` | `data_stream.dataset == "osquery.result"` | high | **ingest-only — no ES\|QL** — `default.yml` L140–142; omit — no flat query-time vendor path distinct from output |
+| `user.name` | `osquery.result.decorations.username` → `user.name` | `data_stream.dataset == "osquery.result"` | high | **ingest-only — no ES\|QL** — decoration context, not query trigger (`default.yml` L132–134); omit — `CASE(actor_exists, user.name, …, user.name, null)`; column-level `osquery.result.columns.username` is vendor-only and must not wire as fallback |
+| `process.name` | `osquery.result.columns.process` → `process.name` | `data_stream.dataset == "osquery.result"` | moderate | **ingest-only — no ES\|QL** — row subject (ALF exception), not daemon actor; omit from actor `EVAL` |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit target; query-result subjects are context-only (Pass 3) |
+| `entity.target.id` / `entity.target.name` | — | `data_stream.dataset == "osquery.result"` | high | **omit** — `file.path` / `columns.path` are row inventory, not `entity.target.*`; `CASE(target_exists, entity.target.id, file.path, null)` mislabels hunt/compliance rows |
+| `user.target.*` / `host.target.*` / `service.target.*` | — | `data_stream.dataset == "osquery.result"` | high | **omit** — no ECS `*.target.*` at ingest; promotion from `file.*` or `user.name` duplicates measurement dimensions |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `osquery.result.action` → `event.action` | `data_stream.dataset == "osquery.result"` | high | **ingest-only — no ES\|QL** — `default.yml` L70–73; every fixture row has `added` or `removed`; omit — `CASE(action_exists, event.action, …, event.action, null)` or `osquery.result.action` fallback is identity no-op; do not substitute `rule.name` |
+
+### Detection flags (mandatory — run first)
+
+Not applicable — stream excluded (inventory/compliance telemetry; no defensible preserve-first fallback without misclassifying decoration user, file row, or mount/package columns as audit actor/target). Do not emit detection flags solely to wrap tautological `CASE` on ingest-populated `host.*`, `user.name`, or `event.action`.
+
+### Combined ES|QL — actor fields
+
+Not applicable — stream excluded (inventory/compliance telemetry). Do not emit `CASE(actor_exists, host.id, host.id, null)`, `CASE(actor_exists, host.hostname, host.hostname, null)`, `CASE(actor_exists, user.name, user.name, null)`, or `CASE(actor_exists, user.name, data_stream.dataset == "osquery.result", osquery.result.decorations.username, null)` when decoration username is already copied to `user.name` at ingest.
+
+### Combined ES|QL — event action
+
+Not applicable — `event.action` ingest-only on every fixture row (`default.yml` L70–73). Do not emit `CASE(action_exists, event.action, event.action, null)` or `CASE(action_exists, event.action, data_stream.dataset == "osquery.result", osquery.result.action, null)` — vendor field is template source only; do not substitute `rule.name` or pack names for differential verbs.
+
+### Combined ES|QL — target fields
+
+Not applicable — stream excluded (inventory/compliance telemetry). Do not emit `CASE(target_exists, entity.target.id, file.path, null)`, `CASE(target_exists, user.target.name, user.name, null)`, or promote `osquery.result.columns.*` to `*.target.*` across 25+ query packs.
+
+### Streams excluded
+
+- **`osquery.result`** — Scheduled `osqueryd` JSON result logs (`logfile` input). `event.action` (`added`/`removed`/`changed`) describes query-row state deltas, not who changed OS state. `host.id` / `host.hostname` ← decorations identify where `osqueryd` runs, not audit principals. `file.*` / `process.name` / `url.full` are promoted row context, not `*.target.*`. Pair with System, Auditd, Sysmon, or Elastic Defend for audit-grade actor/target coverage.
+
+### Gaps and limitations
+
+- **Inventory telemetry by design:** No administrator, API caller, or authorization outcome in result logs; Pass 2/3 semantics forbid cross-integration actor/target `EVAL`.
+- **Target-fields audit `none`:** No ECS `*.target.*` or `destination.*` fields; query-time promotion would guess wrong across 25+ query packs in `test-osquery.log`.
+- **Pass 4 tautology cleanup (§10):** `host.id`, `host.hostname`, `user.name`, `event.action`, and ingest-promoted `file.*` / `process.name` omitted from all `EVAL` blocks — ingest-only with no distinct query-time fallback; `osquery.result.columns.username` stays vendor-only (do not wire as `user.name` fallback).
+- **CASE arity (esql-entity-mapping §Syntax):** Forbidden **4-arg** `CASE(action_exists, event.action, osquery.result.action, null)` and `CASE(actor_exists, user.name, osquery.result.decorations.username, null)` — 3rd argument parses as a **condition**, not a fallback value; even **5-arg** `CASE(action_exists, event.action, data_stream.dataset == "osquery.result", osquery.result.action, null)` is an identity no-op because ingest already copies the vendor field. Valid **3-arg** `CASE(user.name IS NOT NULL, user.name, osquery.result.decorations.username)` is still omitted (decoration copied at ingest). Forbidden **4-arg** `CASE(target_exists, entity.target.id, file.path, null)` — `file.path` is a condition, not `entity.target.id`; row inventory must not map to `*.target.*`.
+- **Query-dependent row schema:** `osquery.result.columns.*` varies by SQL; ingest promotes only a fixed subset (`file.*`, `process.name`, `url.full`, `rule.name`).
+- **`process.name` ambiguity:** Maps from row `columns.process` (ALF exception subject), not `osqueryd` daemon (`decorations.name`/`pid` unmapped to ECS `process.*`).
+- **Pass 2 alignment:** `event.action` ← `osquery.result.action` is complete at ingest; do not overload with `rule.name`. Enhancement to `*.target.*` requires audit semantics this package does not collect.
diff --git a/dev/domain/p1/ping_federate.md b/dev/domain/p1/ping_federate.md
new file mode 100644
index 00000000000..5a01c7a276c
--- /dev/null
+++ b/dev/domain/p1/ping_federate.md
@@ -0,0 +1,457 @@
+# ping_federate
+
+## Product Domain (PingFederate SSO/IAM)
+
+PingFederate is Ping Identity’s enterprise federated identity server for single sign-on (SSO), identity federation, and access management. Organizations deploy it on-premises or in hybrid environments to act as an identity provider (IdP), service provider (SP), or both—brokering trust between applications, partners, and user directories via standards such as SAML 2.0, OAuth 2.0, and OpenID Connect.
+
+At its core, PingFederate manages authentication and authorization flows, token and session lifecycle, connection/partner configuration, and administrative operations through the Administrative Console and Administrative API. Security-relevant activity falls into two log families: admin audit records (who changed what in the platform) and security audit records (authentication, authorization, and federation transactions). These logs support compliance, SSO troubleshooting, and detection of unauthorized access or misconfiguration.
+
+The Elastic PingFederate integration ingests both log types via Elastic Agent—admin logs from `admin.log` (pipe-delimited format, filestream only) and audit logs in CEF format (filestream, TCP, or UDP/syslog). Events are parsed into ECS-aligned fields for search, dashboards, and correlation with broader SIEM data.
+
+## Data Collected (brief)
+
+- **Admin logs** (`ping_federate.admin`): Actions in the Administrative Console and via the Administrative API, collected from `admin.log` via filestream.
+- **Admin context**: Administrator username, roles, source IP, PingFederate component, event type and detail ID, and message; mapped to ECS `user`, `source`, and `event.action`/`event.category`.
+- **Audit logs** (`ping_federate.audit`): Authentication, authorization, and federation transactions in CEF format, via filestream, TCP, or UDP.
+- **Federation details**: Subject/user, protocol (e.g., SAML20), IdP/SP role, connection/partner ID, target application URL, attributes, local user ID, tracking ID, and transaction status (success/failure).
+- **Outcome and timing**: Event code (e.g., `AUTHN_SESSION_DELETED`), outcome, severity, response time, client source IP, and observer hostname/version.
+
+## Expected Audit Log Entities
+
+Both data streams are true audit logs: **`ping_federate.admin`** (Administrative Console/API changes) and **`ping_federate.audit`** (CEF security audit for authentication, authorization, and federation transactions). There are no metrics, inventory-sync, or network-telemetry streams. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated. The target-fields audit classifies ping_federate as **`strong_candidate`** with `pipeline_dest_identity=true` but no tier-A ECS targets (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is populated on both streams.** Admin events map `ping_federate.admin.event.type` → `event.action` (lowercased; e.g. `rotate`). Audit events map CEF signature `cef.name` → `ping_federate.audit.event` → `event.action` (lowercased; e.g. `authn_session_deleted`). The Agent also sets `event.code` on audit events with the uppercase CEF signature (e.g. `AUTHN_SESSION_DELETED`) — complementary to `event.action`, not a substitute.
+
+**`destination.user.*` de-facto target check:** The Agent CEF input pre-parses CEF `duid=` / `destinationUserId` into transient `destination.user.id` (visible in `test-audit.json` input fixtures). The audit pipeline copies `cef.extensions.destinationUserId` → `ping_federate.audit.subject` → **`user.name`** (actor) and then **removes** `destination.user.id` (`default.yml` L347–352). Final documents have **no** `destination.user.*` — the CEF "destination user" label is misleading; it is the federated **subject/actor**, not an acted-upon target. The actual user target (`SP Local User ID`) stays vendor-only as `ping_federate.audit.local_user_id`.
+
+Evidence: `packages/ping_federate/data_stream/admin/sample_event.json`, `admin/_dev/test/pipeline/test-admin.log-expected.json` (1 fixture), `audit/sample_event.json`, `audit/_dev/test/pipeline/test-audit.json-expected.json` (4 fixtures), `audit/elasticsearch/ingest_pipeline/default.yml`, `admin/elasticsearch/ingest_pipeline/default.yml`, `fields/fields.yml`.
+
+### Event action (semantic)
+
+PingFederate records a native operation name per event. Admin logs carry a pipe-delimited **event type** (`ROTATE`, `CREATE`, `MODIFY`, …); audit logs carry a CEF **signature ID** (`AUTHN_SESSION_DELETED`, `SSO`, `OAuth`, …). Both pipelines copy the vendor value to `event.action` and lowercase it.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `rotate` | configuration_change | high | `test-admin.log-expected.json`; `sample_event.json` `event.action: rotate` | **`ping_federate.admin`** — `LICENSE` component rotation; pipeline sets `event.category: [configuration]`, `event.type: [change]` |
+| `authn_session_deleted` | session | high | `test-audit.json-expected.json` events 1, 3; `sample_event.json` | **`ping_federate.audit`** — session teardown; pipeline sets `event.category: [session]`, `event.type: [end]` |
+| `authn_session_used` | session | high | `test-audit.json-expected.json` event 2 | Session activity; pipeline sets `event.category: [session]`, `event.type: [info]` |
+| `unknown_type` | general | high | `test-audit.json-expected.json` event 4 | Minimal CEF with no extensions; no category/type enrichment |
+
+Pipeline category rules support additional admin actions not covered by fixtures: `login_attempt`, `logout`, `password_change` (authentication); `import`, `create`, `delete`, `modify` (configuration); `role_change`, `activate` (iam); any type containing `session` (session). Audit pipeline supports `sso`, `slo`, `oauth`, `authn_attempt`, `authn_request`, `authn_session_created`, `sri_revoked` — confidence **medium** (pipeline logic only; deploy sample logs show `AUTHN_ATTEMPT`).
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `ping_federate.admin.event.type` → `event.action` | yes | yes | `rotate` | no | `set` + `lowercase` admin pipeline L214–221; grok extracts from pipe-delimited log |
+| `cef.name` → `ping_federate.audit.event` → `event.action` | yes | yes | `authn_session_deleted`, `authn_session_used`, `unknown_type` | no | Audit pipeline L37–50: `rename` cef.name, then `set` + `lowercase` |
+| `event.code` (Agent CEF) | no (separate field) | yes | `AUTHN_SESSION_DELETED`, `AUTHN_SESSION_USED`, `UNKNOWN_TYPE` | no | Uppercase CEF signature on audit fixtures; complements lowercased `event.action` |
+| `ping_federate.admin.component` | no | n/a | — | partial | Subsystem context (`LICENSE`, `USER`, `SSO`, …); could enrich action as `{component}.{type}` but not mapped |
+| `event.category` / `event.type` | n/a (downstream) | yes | Derived from action + component rules | no | Admin/audit pipelines append category/type based on `event.type` or `ping_federate.audit.event`; not independent action sources |
+| `ping_federate.audit.status` | no | n/a | — | no | Outcome qualifier (`success`, `failure`, `in progress`); maps to `event.outcome`, not the operation name |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `ping_federate.admin` | yes | yes | `ping_federate.admin.event.type` (grok `event.type` column) | high | `set` L214–217 + `lowercase` L219–221; fixture value `rotate` |
+| `ping_federate.audit` | yes (all 4 events) | yes | `cef.name` → `ping_federate.audit.event` | high | `rename` L37–40 + `set` L42–46 + `lowercase` L47–50 |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Administrator or API user | user | — | high | `ping_federate.admin.user` → `user.name` (`Administrator` in fixture); comma-split roles → `user.roles` (`UserAdmin`, `Admin`, `CryptoAdmin`, `ExpressionAdmin`); `related.user` includes admin username | **`ping_federate.admin`** — canonical actor for config/IAM changes |
+| Admin client source IP | host | — | high | `ping_federate.admin.ip` → `source.ip` + geoip (`81.2.69.142` in fixture); `related.ip` | Network origin of admin session |
+| Federated end-user subject | user | — | high | CEF `destinationUserId` / raw `duid=` → `ping_federate.audit.subject` → `user.name` (`joe`, `moe` in audit fixtures; `sample_event.json`) | **`ping_federate.audit`** — authenticating/accessing user; CEF field name says "destination" but pipeline maps to actor ECS `user.name` |
+| Client source IP | host | — | high | CEF `sourceAddress` → `ping_federate.audit.ip` → `source.ip` + geoip (all audit fixtures with subject) | Browser/client network origin |
+| PingFederate federation role | general | federation-role | medium | `ping_federate.audit.role` → `user.roles` (`IdP` in full `AUTHN_SESSION_DELETED` fixture; absent for minimal `moe` events) | Transaction role (IdP/SP), **not** admin RBAC — semantically imprecise under `user.roles` |
+
+**`ping_federate.audit` — no actor:** `UNKNOWN_TYPE` fixture (event 4) has no subject, source IP, or `user.*` populated.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name` | Admin or federated subject username | yes | yes | high | **admin:** `ping_federate.admin.user` copy (L176–179); **audit:** `cef.extensions.destinationUserId` → subject → `user.name` (L223–231) |
+| `user.roles` | Admin RBAC roles or federation IdP/SP role | yes | partial | high | **admin:** comma-split `ping_federate.admin.roles` (L186–213); **audit:** `ping_federate.audit.role` → `user.roles` (L271–302) — federation role is not an ECS user role |
+| `source.ip` / `source.geo` | Client network origin | yes | yes | high | Both pipelines: vendor IP → `source.ip` + geoip (admin L245–254; audit L316–325) |
+| `related.user` | Actor enrichment bag | yes | partial | high | Appends admin username, audit subject, and **`local_user_id`** (audit L216–221, L232–237) — `local_user_id` is a **target**, not actor |
+| `related.ip` | IP enrichment bag | yes | yes | high | Client IP and observer IP appended |
+| `ping_federate.admin.user` / `.roles` | Admin identity (vendor) | yes (with `preserve_duplicate_custom_fields`) | yes | high | Retained in sample_event; removed in default ingest unless tag set |
+| `ping_federate.audit.subject` | Federated user (vendor) | yes (with tag) | yes | high | Canonical vendor actor; copied to `user.name` then removed by default |
+| `destination.user.id` | CEF-parsed subject ID | no (removed) | n/a | high | Set by Agent CEF input from `destinationUserId`; explicitly removed L350 — **not** a persisted de-facto target |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | PingFederate IAM server processing the transaction | PingFederate | service | — | medium | `observer.product: PingFederate`, `observer.vendor: Ping Identity`; no `cloud.service.name` | On-prem/hybrid deployment; observer is the platform node, not the remote SP |
+| 2 — Resource / object | PingFederate subsystem or federation object acted upon | varies | varies | see rows below | high | Admin: `component` + `event.type`; Audit: connection, application URL, local user | No ECS `*.target.*` mapping |
+| 3 — Content / artifact | Human-readable detail, attributes, correlation handles | message, attributes, tracking ID | general | audit_detail, assertion-attributes, correlation_id | medium | `message`, `ping_federate.audit.attributes`, `ping_federate.audit.tracking_id` | Session tracking ID is correlation, not a durable entity |
+
+**Layer 2 — admin stream (`ping_federate.admin`):**
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence |
+| --- | --- | --- | --- | --- |
+| PingFederate subsystem under administration | general | configuration-component | high | `ping_federate.admin.component` (`LICENSE` in fixture; pipeline supports `USER`, `SSO`, `OAuth`, etc.) + `ping_federate.admin.event.type` (`ROTATE`, `CREATE`, `MODIFY`, `DELETE`, …) + `event.id` ← `event.detail_id` |
+| IAM user account (when component=USER) | user | — | medium | Expected from pipeline category rules (`CREATE`+`USER`, `ROLE_CHANGE`, `ACTIVATE` → `event.category: iam`); not observed in fixtures |
+
+**Layer 2 — audit stream (`ping_federate.audit`):**
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence |
+| --- | --- | --- | --- | --- |
+| Service provider / relying party application | general | application | high | `url.full` ← `ping_federate.audit.app` (CEF cs1 *Target Application URL*; populated in full fixture; empty in minimal `moe` session events) |
+| Federation partner / connection | general | federation-connection | high | `ping_federate.audit.connection_id` (CEF cs2; `sp:cloud:saml2` in full fixture) |
+| SP-linked local account (account linking) | user | — | medium | `ping_federate.audit.local_user_id` (CEF cs5; `idlocal` in full fixture) — distinct from federated subject actor |
+| Federation protocol | general | protocol | high | `ping_federate.audit.protocol` (CEF cs3; `SAML20`) |
+
+Minimal `AUTHN_SESSION_USED`/`AUTHN_SESSION_DELETED` fixtures for `moe` and `UNKNOWN_TYPE` expose actor only — no Layer 2 federation targets.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `ping_federate.admin.component` | 2 | general | yes (vendor) | n/a | `entity.target.name` / `service.target.name` | yes | Subsystem under change (`LICENSE`, `USER`, …); paired with `event.type` |
+| `ping_federate.admin.event.type` / `event.action` | 2 | general | yes | yes (action context) | context-only | no | Operation on the component (`rotate`, `create`, `modify`, …) |
+| `event.id` ← `event.detail_id` | 2 | general | yes | yes | context-only | no | Unique sub-transaction identifier |
+| `message` | 3 | general | yes | yes | context-only | no | Human-readable change detail (`- Login was successful`) |
+| `url.full` / `ping_federate.audit.app` | 2 | general | yes | yes | `service.target.entity.id` (URL) | yes | CEF cs1 *Target Application URL* — primary SP/relying-party target |
+| `ping_federate.audit.connection_id` | 2 | general | yes (vendor) | n/a | `entity.target.id` / `service.target.entity.id` | yes | CEF cs2 partner/connection identifier |
+| `ping_federate.audit.local_user_id` | 2 | user | yes (vendor) | n/a | `user.target.id` | yes | CEF cs5 SP local user — account-linking target; wrongly mixed into `related.user` with actor |
+| `ping_federate.audit.protocol` | 2 | general | yes (vendor) | n/a | context-only | no | Protocol context (`SAML20`) |
+| `ping_federate.audit.attributes` | 3 | general | yes (vendor) | n/a | context-only | no | SAML/OAuth attribute bag; not parsed to ECS |
+| `ping_federate.audit.tracking_id` | 3 | general | yes (vendor) | n/a | context-only | no | Session correlation handle (`tid:ae14b5ce8`) |
+| `observer.hostname` / `ping_federate.audit.host.name` | 1 | service | yes | yes (observer) | context-only | no | PingFederate node (`dvchost`); observer role, not remote application target |
+| `destination.user.id` | — | user | no (removed) | n/a | would be `user.target.id` if retained | no | Transient CEF parse of federated **subject**; remapped to `user.name` (actor) and stripped — **not** a de-facto target |
+
+### Gaps and mapping notes
+
+- **`event.action` mapping is correct on both streams:** Admin `event.type` and audit CEF `cef.name` are copied to `event.action` and lowercased. No primary enhancement needed. Optional: composite action label `{component}.{type}` (e.g. `license.rotate`) from `ping_federate.admin.component` + `event.action` for finer-grained admin queries.
+- **No ECS `*.target.*` today** — admin targets stay in `ping_federate.admin.component`; audit federation targets stay vendor-namespaced except `url.full`. Enhancement: map `local_user_id` → `user.target.id`, `connection_id` → `entity.target.id` or `service.target.entity.id`, `app`/`url.full` → `service.target.entity.id`.
+- **`destination.user.id` is not a de-facto target** — listed in `destination_identity_hits.csv` only because the pipeline **removes** it (L350). CEF `destinationUserId`/`duid` is the federated subject mapped to **`user.name`** (actor). Do not migrate to `user.target.*`.
+- **`related.user` conflates actor and target** — audit pipeline appends both `ping_federate.audit.subject` (actor) and `ping_federate.audit.local_user_id` (SP local account target) to the same bag.
+- **`user.roles` on audit events holds federation role** — `IdP`/`SP` copied to ECS `user.roles` is semantically imprecise (`Mapping correct?`: partial); admin RBAC roles on the admin stream map correctly.
+- **Outcome parsing quirk** — full audit fixture has CEF `msg=success` in input but `ping_federate.audit.status: failure` in expected output (status derived from alternate CEF `message` extension path); verify against production CEF field usage.
+- **Target-fields audit alignment** — `strong_candidate` with `ecs_target_tierA_audit=false`, `pipeline_dest_identity=true` (remove-step reference), `pipeline_actor=false` (heuristic missed explicit `user.name` mapping), `fixture_strong=false`. Stakeholder matrix: identified potential, categories authentication/iam.
+
+### Per-stream notes
+
+#### `ping_federate.admin`
+
+Pipe-delimited `admin.log` grok extracts administrator, roles, IP, component, event type, detail ID, and message. **`event.action`** ← lowercased `event.type` (`rotate` in fixture). Categories inferred from `event.type` + `component` (authentication, configuration, iam, session). Single pipeline fixture (`LICENSE`/`ROTATE`); broader components (`USER`, `SSO`, `OAuth`) and actions (`create`, `modify`, `login_attempt`, …) supported but unverified in tests. Observer vendor/product statically set.
+
+#### `ping_federate.audit`
+
+CEF pre-parsed by Agent; pipeline maps federation fields from CEF extensions. **`event.action`** ← lowercased CEF signature (`authn_session_deleted`, `authn_session_used`, `unknown_type` in fixtures); **`event.code`** retains uppercase signature. Session lifecycle (`AUTHN_SESSION_*`) and auth/federation events (`SSO`, `SLO`, `OAuth`, `AUTHN_ATTEMPT`, `AUTHN_REQUEST`, `SRI_REVOKED`) categorized; fixtures cover `AUTHN_SESSION_*` and `UNKNOWN_TYPE` only. Deploy sample logs also show `AUTHN_ATTEMPT` with IPv6 client source and richer connection/protocol fields.
+
+## Example Event Graph
+
+Both streams are true audit logs: **`ping_federate.admin`** (Administrative Console/API changes) and **`ping_federate.audit`** (CEF security audit for authentication and federation). Examples below use pipeline expected fixtures and `sample_event.json`.
+
+### Example 1: Administrator rotates license component
+
+**Stream:** `ping_federate.admin` · **Fixture:** `packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json`
+
+```
+Administrator (admin user) → rotate → LICENSE subsystem
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | Administrator |
+| type | user |
+| geo | London, United Kingdom |
+| ip | 81.2.69.142 |
+
+**Field sources:**
+- `name` ← `user.name` ← `ping_federate.admin.user`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip` ← `ping_federate.admin.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | rotate |
+| source_field | `event.action` |
+| source_value | rotate |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | LICENSE |
+| type | general |
+| sub_type | configuration-component |
+
+**Field sources:**
+- `name` ← `ping_federate.admin.component`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Administrator"] --> E["rotate"]
+  E --> T["Target: LICENSE"]
+```
+
+### Example 2: Federated user session deleted (SAML federation)
+
+**Stream:** `ping_federate.audit` · **Fixture:** `packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json-expected.json` (event 1)
+
+```
+joe (federated subject) → authn_session_deleted → http://www.google.ca&landingpage=pageA (SP application)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | joe |
+| type | user |
+| geo | London, United Kingdom |
+| ip | 81.2.69.142 |
+
+**Field sources:**
+- `name` ← `user.name` ← `ping_federate.audit.subject` ← CEF `destinationUserId` (federated subject, not a target)
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip` ← `ping_federate.audit.ip` ← CEF `sourceAddress`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | authn_session_deleted |
+| source_field | `event.action` |
+| source_value | authn_session_deleted |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | sp:cloud:saml2 |
+| name | http://www.google.ca&landingpage=pageA |
+| type | general |
+| sub_type | application |
+
+**Field sources:**
+- `id` ← `ping_federate.audit.connection_id` (federation partner/connection)
+- `name` ← `url.full` ← `ping_federate.audit.app` (CEF cs1 *Target Application URL*)
+
+SP local account `ping_federate.audit.local_user_id` (`idlocal`) is a secondary user target in the same event but omitted here for clarity.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: joe"] --> E["authn_session_deleted"]
+  E --> T["Target: google.ca landing page"]
+```
+
+### Example 3: Session activity without federation context
+
+**Stream:** `ping_federate.audit` · **Fixture:** `packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json-expected.json` (event 2)
+
+```
+moe (federated subject) → authn_session_used → PingFederate (session platform)
+```
+
+Minimal CEF — no SP application URL or connection ID in the fixture; the session is consumed on the PingFederate IdP node.
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | moe |
+| type | user |
+| geo | London, United Kingdom |
+| ip | 81.2.69.142 |
+
+**Field sources:**
+- `name` ← `user.name` ← `ping_federate.audit.subject`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip` ← `ping_federate.audit.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | authn_session_used |
+| source_field | `event.action` |
+| source_value | authn_session_used |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | PingFederate |
+| type | service |
+
+**Field sources:**
+- `name` ← `observer.product` — **semantic — not indexed as a target field**; the only federation target surrogate in this minimal CEF event
+- Session correlation: `ping_federate.audit.tracking_id` ← CEF `externalId` → `tid:ae14b5cea` (context only, not the primary target)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: moe"] --> E["authn_session_used"]
+  E --> T["Target: PingFederate"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates` + `data_stream/admin`, `data_stream/audit` in `manifest.yml`). Router: **`data_stream.dataset`** (`ping_federate.admin`, `ping_federate.audit`). Pass 4 v2 is **fill-gaps-only**: detection flags run first; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, boolean_condition, fallback, null)` — valid **3-arg** / **5-arg** / **7-arg** / **9-arg** forms only; never **4-arg** `CASE(actor_exists, col, bare_field, null)` (bare field parses as a **condition**, not a value). Do not use `CASE(actor_exists|target_exists, <col>, …)` on mapped columns (Pass 4 §10). Ingest maps federated subjects to **`user.name`** and **`event.action`** on both streams — **`user.name` ingest-only — no ES|QL**; ES|QL adds **`host.ip`** from `source.ip` when `host.ip` is empty, and lifts vendor federation/admin targets into `*.target.*`.
+
+**`destination.user` de-facto target check (Pass 4 v2):** Agent CEF input sets transient **`destination.user.id`** from CEF `destinationUserId`/`duid=` (visible in `test-audit.json` input only). The audit pipeline copies that value to **`ping_federate.audit.subject`** → **`user.name`** (actor) and **removes** `destination.user.id` (`default.yml` L347–352). Tier-A fixtures and `sample_event.json` have **no** persisted `destination.user.*`. This is **not** a de-facto target — do **not** map `destination.user.id` → `user.target.id` (would duplicate actor `joe`/`moe` on session events). The real user target is **`ping_federate.audit.local_user_id`** (CEF cs5) → **`user.target.id`** fallback only.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `ping_federate.admin` | admin audit | user, host | general | full |
+| `ping_federate.audit` | federation/security audit | user, host | user, service, general | full |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.name` | `user.name` | `user.name IS NOT NULL` | high | **ingest-only — no ES|QL** — pipeline sets on both streams; omit from actor `EVAL` |
+| `host.ip` | `host.ip` | `host.ip IS NOT NULL` | high | **column-level preserve** — not `CASE(actor_exists, host.ip, …)` (`user.name` can set `actor_exists` while `host.ip` is empty) |
+| `host.ip` | `source.ip` | `data_stream.dataset IN ("ping_federate.admin", "ping_federate.audit") AND source.ip IS NOT NULL` | high | **vendor fallback** — client IP indexed as `source.ip`, not `host.ip` |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.name` | `entity.target.name` | `entity.target.name IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.name` | `ping_federate.admin.component` | `data_stream.dataset == "ping_federate.admin" AND ping_federate.admin.component IS NOT NULL` | high | **vendor fallback** — subsystem under change (`LICENSE`, `USER`, …) |
+| `entity.target.sub_type` | `entity.target.sub_type` | `entity.target.sub_type IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.sub_type` | `"configuration-component"` | `data_stream.dataset == "ping_federate.admin"` | low | **semantic literal** — Pass 3 Example 1 |
+| `entity.target.id` | `entity.target.id` | `entity.target.id IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.id` | `ping_federate.audit.connection_id` | `data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.connection_id IS NOT NULL` | high | **vendor fallback** — federation partner/connection |
+| `entity.target.type` | `entity.target.type` | `entity.target.type IS NOT NULL` | high | **column-level preserve** |
+| `entity.target.type` | `"general"` | `data_stream.dataset == "ping_federate.admin"` | low | **semantic literal** |
+| `entity.target.type` | `"general"` | `data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL` | low | **semantic literal** — SP application URL target (Pass 3 Example 2) |
+| `service.target.name` | `service.target.name` | `service.target.name IS NOT NULL` | high | **column-level preserve** |
+| `service.target.name` | `url.full` | `data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL` | high | **vendor fallback** — CEF cs1 *Target Application URL* |
+| `service.target.name` | `"PingFederate"` | `data_stream.dataset == "ping_federate.audit" AND url.full IS NULL AND ping_federate.audit.connection_id IS NULL` | low | **semantic literal** — minimal session events (Pass 3 Example 3) |
+| `user.target.id` | `user.target.id` | `user.target.id IS NOT NULL` | high | **column-level preserve** |
+| `user.target.id` | `ping_federate.audit.local_user_id` | `data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL` | high | **vendor fallback** — SP local account; distinct from federated subject actor |
+| `destination.user.id` | — | — | — | **excluded** — transient CEF parse of **actor** subject; stripped at ingest; **not** `user.target.id` |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` checks official actor ECS columns only — **`source.ip` is excluded** so client IPs on `source.ip` still fall through to `host.ip`. `target_exists` checks official `*.target.*` columns only (ingest does not populate them today). **Actor/target `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`, not `CASE(actor_exists|target_exists, <col>, …)`) so a populated `user.name` does not block `host.ip` from `source.ip`, and a future single `*.target.*` column does not block sibling target fallbacks (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("ping_federate.admin", "ping_federate.audit") AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "ping_federate.admin" AND ping_federate.admin.component IS NOT NULL, ping_federate.admin.component,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.connection_id IS NOT NULL, ping_federate.audit.connection_id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "ping_federate.admin", "general",
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL, "user",
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL, "general",
+    data_stream.dataset == "ping_federate.audit", "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "ping_federate.admin", "configuration-component",
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL, url.full,
+    data_stream.dataset == "ping_federate.audit" AND url.full IS NULL AND ping_federate.audit.connection_id IS NULL, "PingFederate",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL, ping_federate.audit.local_user_id,
+    null
+  )
+```
+
+**Event action:** both streams populate `event.action` at ingest (`ping_federate.admin.event.type`, CEF `cef.name`); no vendor fallback block — `action_exists` covers indexed documents.
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset IN ("ping_federate.admin", "ping_federate.audit") AND source.ip IS NOT NULL, source.ip, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "ping_federate.admin" AND ping_federate.admin.component IS NOT NULL, ping_federate.admin.component, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.connection_id IS NOT NULL, ping_federate.audit.connection_id, null),
+  entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset == "ping_federate.admin", "general", data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL, "user", data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL, "general", data_stream.dataset == "ping_federate.audit", "service", null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "ping_federate.admin", "configuration-component", null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "ping_federate.audit" AND url.full IS NOT NULL, url.full, data_stream.dataset == "ping_federate.audit" AND url.full IS NULL AND ping_federate.audit.connection_id IS NULL, "PingFederate", null),
+  user.target.id = CASE(user.target.id IS NOT NULL, user.target.id, data_stream.dataset == "ping_federate.audit" AND ping_federate.audit.local_user_id IS NOT NULL, ping_federate.audit.local_user_id, null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.name, host.ip, entity.target.name, entity.target.id, entity.target.type, service.target.name, user.target.id
+```
+
+### Streams excluded
+
+- None — both manifest data streams are audit logs with actor/target semantics.
+
+### Gaps and limitations
+
+- **`user.id` / `user.email` / `user.domain`** — not indexed on either stream; omit from actor normalization.
+- **Pass 4 CASE syntax** — column-level `IS NOT NULL` preserve on all mapped columns; odd-arity defaults (`null`); no `CASE(actor_exists|target_exists, <col>, …)`; full pipeline fragment aligned with combined `EVAL` blocks.
+- **`user.name` ingest-only (§10)** — pipeline sets `user.name` on both streams; omitted from actor `EVAL` (no `CASE(user.name, …)` or vendor re-read of `ping_federate.audit.subject` when ingest already populated actor).
+- **`destination.user.id` / `destination.user.*`** — **not** a de-facto target; CEF `destinationUserId` is the federated **actor** (`user.name`). Never map to `user.target.*` even if Agent pre-parse is visible before ingest.
+- **`user.target.name`** — no indexed SP local display name; only `ping_federate.audit.local_user_id` → `user.target.id`.
+- **`user.roles` on audit** — federation IdP/SP role (`IdP`/`SP`), not admin RBAC; omit from actor ES|QL.
+- **`related.user` conflates actor and target** — ES|QL does not rewrite `related.user`; use `user.target.id` for SP local account.
+- **Admin IAM user targets** — pipeline supports `component == USER` actions but fixtures cover `LICENSE` only.
+- **Ingest enhancement** — mapping `local_user_id` / `connection_id` / `app` to `*.target.*` at ingest would make `target_exists` true and reduce query-time fallback need (`Enhancement candidate?` in Pass 2).
diff --git a/dev/domain/p1/ping_one.md b/dev/domain/p1/ping_one.md
new file mode 100644
index 00000000000..8b7a5ebd398
--- /dev/null
+++ b/dev/domain/p1/ping_one.md
@@ -0,0 +1,512 @@
+# ping_one
+
+## Product Domain
+
+PingOne is Ping Identity’s cloud-native identity and access management (IAM) platform. Organizations use PingOne to centralize user identity lifecycle, authentication, authorization, and access policies across applications, APIs, and workforce populations. The platform is organized around environments (tenant boundaries), user populations, applications (including worker and OIDC clients), roles, groups, and administrative configuration—supporting use cases from workforce SSO and MFA to customer identity (CIAM) and API security.
+
+At its core, PingOne provides directory services, sign-on flows, password and credential management, role-based access control, and integrations via webhooks and REST APIs. Administrative and security-relevant activity is recorded as audit events that describe who performed an action (actors), what was affected (resources such as users, environments, or organizations), the action type (authentication, access control, user or configuration changes), and the outcome (success or failure). These events are essential for compliance, identity threat detection, and investigating unauthorized access or policy changes.
+
+The Elastic PingOne integration ingests audit activity via two paths: polling the PingOne Audit REST API with OAuth worker credentials, or receiving real-time webhook payloads on an Elastic Agent HTTP endpoint (Ping Activity Format JSON). Events are normalized into ECS-aligned fields for search, dashboards, and correlation with broader SIEM data—enabling security teams to monitor sign-on behavior, access decisions, identity administration, and configuration changes across PingOne environments.
+
+## Data Collected (brief)
+
+- **Audit logs** (`ping_one.audit`): Identity and access audit events from PingOne, collected via REST API polling or HTTP endpoint webhooks.
+- **Action details**: Action type and description (e.g., `USER.ACCESS_ALLOWED`, authentication, password checks, create/update/delete operations) with ECS `event.action`, `event.category`, and `event.type` enrichment.
+- **Actors**: User and client/application context—IDs, names, environment and population references, and resource URLs for the initiating party.
+- **Resources**: Affected entities (USER, ORGANIZATION, ENVIRONMENT) with IDs, names, environment/population scope, and API href links.
+- **Outcome and timing**: Result status and description (`SUCCESS`/`FAILED`), event ID, `recorded_at`/`created_at` timestamps, and correlation/transaction identifiers.
+- **Source context**: Source IP address and user agent when present; ECS user and client fields derived from actor and resource data.
+
+## Expected Audit Log Entities
+
+The **`ping_one.audit`** stream is the only data stream and is a true IAM audit log: PingOne Activity Format JSON with dual actors (`actors.user`, `actors.client`), affected `resources[]`, action type, and outcome. There are no metrics, inventory-sync, or network-telemetry streams. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated; no `destination.user.*` / `destination.host.*` in the pipeline (`destination_identity_hits.csv` has no ping_one row). The target-fields audit classifies ping_one as **`none`** with all heuristic flags false (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is populated on every fixture and `sample_event.json`** via pipeline copy from `ping_one.audit.action.type` with lowercase normalization (`default.yml` L247–257). Vendor-native action strings use PingOne dot notation (e.g. `USER.ACCESS_ALLOWED`, `APPLICATION.CREATED`); ECS stores the lowercased form (e.g. `user.access_allowed`, `application.created`). The pipeline also derives `event.category`, `event.type`, and `event.outcome` from the action string and result status — these enrich the action but do not replace it.
+
+Evidence: `packages/ping_one/data_stream/audit/sample_event.json`, `_dev/test/pipeline/test-pipeline-audit.log-expected.json` (99 fixtures), `elasticsearch/ingest_pipeline/default.yml`, `fields/fields.yml`.
+
+### Event action (semantic)
+
+PingOne audit events record a vendor **`action.type`** string naming the IAM operation performed against one or more `resources[]`. The pipeline copies and lowercases it to ECS `event.action`. Fixture coverage spans 96 distinct actions across identity lifecycle, authentication, access control, application/OIDC configuration, PingOne Authorize objects, provisioning, risk/MFA, and environment administration.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `user.access_allowed` | access | high | 3 fixtures + `sample_event.json`; vendor `USER.ACCESS_ALLOWED` | Script adds `event.category: [iam, configuration]`, `event.type: [user, info, access]` |
+| `password.check_succeeded` / `password.check_failed` | authentication | high | 1 fixture each; vendor `PASSWORD.CHECK_*` | `password.check_succeeded` adds `event.category: [authentication]`; actor absent in both fixtures |
+| `password.set` / `password.reset` | authentication | high | 1 fixture each | Self-service password events; actor absent on `password.set` |
+| `user.created` / `user.updated` / `user.deleted` | administration | high | 1 fixture each | User directory lifecycle; `USER.CREATED` separates actor admin from target user in vendor data |
+| `application.created` / `.updated` / `.deleted` | configuration_change | high | 1 fixture each | OIDC/worker application lifecycle |
+| `action.created` / `action.updated` | configuration_change | high | 1 fixture each | Sign-on policy action lifecycle (`SIGN_ON_POLICY` target); actor absent on `action.created` |
+| `role_assignment.created` | administration | high | 1 fixture | RBAC assignment; actor absent |
+| `secret.read` | data_access | high | 1 fixture | Credential/secret read operation |
+| `environment.created` / `.updated` | configuration_change | high | 1 fixture each | Tenant/environment boundary changes |
+| `authorize_*.*` / `policy.*` / `group.*` / `population.*` / … | configuration_change | high | 70+ additional unique actions in fixtures | IAM/Authorize/provisioning/risk configuration CRUD; pattern `{resource_type}.{created\|updated\|deleted}` |
+
+Action strings follow `{ENTITY}.{OPERATION}` vendor convention (e.g. `PROVISIONING_RULE.DELETED`, `DECISION_ENDPOINT.CREATED`). Lowercasing to ECS is consistent but loses the original casing — vendor value remains in `event.original` and, when tagged `preserve_duplicate_custom_fields`, in `ping_one.audit.action.type`.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `ping_one.audit.action.type` → `event.action` | yes | yes | `user.access_allowed`, `application.created`, `password.check_failed`, … (96 unique lowercased values) | no | `rename` L247–250; `set` + `copy_from` L251–254; `lowercase` L255–257 |
+| `json.action.type` (raw) | yes (source) | yes | `USER.ACCESS_ALLOWED`, `APPLICATION.CREATED`, … | no | Preserved in `event.original`; canonical vendor source before rename |
+| `ping_one.audit.action.description` | no | n/a | Human label only (e.g. `Action Created`, `Passed role access control`) | no | Renamed L258–261; describes outcome/context, not a separate operation name |
+| `event.type` / `event.category` / `event.outcome` | n/a (downstream) | partial | Derived from action string + result status | partial | Do not substitute for `event.action`; conditional `append`/`set` on action substrings (L27–84, L282–291) |
+| `ping_one.audit.resources[].type` | no | n/a | Target entity type (USER, APPLICATION, …) | no | Qualifies *what* was acted upon, not the verb — complementary to `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `ping_one.audit` | yes (99/99) | yes | `ping_one.audit.action.type` ← `json.action.type` | high | `rename` + `set` + `lowercase` L247–257; all `test-pipeline-audit.log-expected.json` events + `sample_event.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Human actor (administrator or end user) | user | — | high | `actors.user.type: "USER"` in 92 fixtures and `sample_event.json`; pipeline copies `ping_one.audit.actors.user.id/name` → `user.id`/`user.name`; `@` in name → `user.email`/`user.domain` via rename + dissect | **`ping_one.audit`** — canonical security principal when `actors` block present |
+| Initiating PingOne application (OIDC/worker app, Admin Console) | general | application | high | `actors.client.type: "CLIENT"` in same 92 events; pipeline copies `ping_one.audit.actors.client.id/name` → `client.user.id`/`client.user.name`; examples: `PingOne Admin Console`, `adminui`, `TestAdmin` | **`ping_one.audit`** — application that issued the API call; `href` points at environment application resource |
+| Client source IP | host | — | medium | `ping_one.audit.source.ip_address` → `source.ip` + geo enrichment; 1 of 99 fixtures (`175.16.199.1`, sign-on/access event) | Network origin of the session, not a PingOne identity |
+| Client user agent | host | — | low | `ping_one.audit.source.user_agent` → `user_agent.*` via `user_agent` processor; same single fixture | Browser/client software context |
+
+Seven fixtures omit `actors` entirely (`action.created`, `action.updated`, `application.created`, `password.check_failed`, `password.check_succeeded`, `password.set`, `role_assignment.created`). These are self-service or system-generated events with target `resources[]` only — no ECS `user.*` or `client.user.*` is populated.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Human actor user ID | yes (92/99 fixtures) | yes | high | `json.actors.user.id` rename + `copy_from` in `default.yml` L186–192 |
+| `user.name` / `user.email` / `user.domain` | Human actor display name or email | yes (92/99) | yes | high | `actors.user.name` → `user.name`; rename to `user.email` when `@` present; dissect local-part/domain (L194–211) |
+| `client.user.id` / `client.user.name` | Initiating application identity | yes (92/99) | partial | high | `actors.client.*` → `client.user.*` (L146–160); ECS `client.user` holds an **application** actor, not a human client user — naming is ECS-conventional but semantically imprecise |
+| `related.user` | Actor enrichment bag | yes | partial | high | Appends `user.id`, `user.name`, `user.email`, `client.user.id`, `client.user.name` (L173–246); does **not** include resource/target user IDs |
+| `source.ip` / `source.geo` | Client network origin | partial | yes | medium | `json.source.ipAddress` → `ping_one.audit.source.ip_address` → `source.ip` + geoip (L301–320); 1 fixture |
+| `user_agent.*` | Client browser/software | partial | yes | low | `json.source.userAgent` → `user_agent` processor (L327–335); 1 fixture |
+| `ping_one.audit.actors.user.environment.id` | Actor tenant scope | no (vendor-only) | n/a | high | Retained after ECS copy; environment boundary for the acting user |
+| `ping_one.audit.actors.user.population.id` | Actor directory population | no (vendor-only) | n/a | high | User population within environment |
+| `ping_one.audit.actors.client.environment.id` / `.href` | Client app scope and API link | no (vendor-only) | n/a | high | Application resource context |
+| `ping_one.audit.actors.user.href` / `.type` | Actor API link and type discriminator | no (vendor-only) | n/a | high | `type: USER` confirms human actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | PingOne IAM SaaS platform handling the action | PingOne | service | — | medium | No `cloud.service.name` or `cloud.provider` in pipeline; platform inferred from `event.action` (e.g. `user.access_allowed`, `application.created`) and integration context | IAM configuration and authentication events against the PingOne tenant |
+| 2 — Resource / object | PingOne configuration or identity object acted upon | User, Application, Group, Policy, … | varies | see rows below | high | `ping_one.audit.resources[]` with `type` discriminator; 30 distinct types across 99 fixtures | Canonical vendor target; not mapped to ECS `*.target.*` |
+| 3 — Content / artifact | Operation outcome text and correlation handles | result description; correlation ID | general | audit_outcome, correlation_id | medium | `ping_one.audit.result.description`, `ping_one.audit.correlation.id`, `ping_one.audit.internal_correlation.transaction_id` | Describes outcome, not a durable entity |
+
+**Layer 2 resource types observed in fixtures** (by frequency):
+
+| Entity | Classification | Entity type (if general) | Count | Example actions |
+| --- | --- | --- | --- | --- |
+| End-user account | user | — | 11 | `USER.CREATED/UPDATED/DELETED`, `USER.ACCESS_ALLOWED`, `PASSWORD.*`, `ROLE_ASSIGNMENT.CREATED` |
+| OIDC/worker application | general | application | 10 | `APPLICATION.CREATED/UPDATED/DELETED`, `FLOW.*` |
+| Identity provider | general | identity-provider | 6 | IdP lifecycle events |
+| Generic resource placeholder | general | resource | 5 | `RESOURCE.*` actions |
+| Sign-on policy | general | sign-on-policy | 4 | `ACTION.CREATED/UPDATED`, policy lifecycle |
+| Provisioning rule | general | provisioning | 4 | `PROVISIONING_IDENTITY_RULE.*` |
+| PingOne Authorize objects | general | authorization-policy | 3+ each | `POLICYSET`, `CONDITION`, `ATTRIBUTE`, `AUTHORIZE_*`, `DECISION_ENDPOINT`, `SERVICE` |
+| Group / membership | general | group | 3 + 2 | `GROUP.*`, `MEMBER_OF_GROUP.*` |
+| Population (directory) | general | population | 3 | Directory boundary within environment |
+| Environment (tenant) | general | environment | 2 | `ENVIRONMENT.CREATED/UPDATED` |
+| Risk / MFA / other | general | risk-policy, mfa-settings, gateway, … | 1–3 each | `RISK_POLICY`, `FIDO Policy`, `GATEWAY`, `IMAGE`, `KEY`, etc. |
+
+`ORGANIZATION` is documented in `fields.yml` as a resource type option but not observed as `resources[].type` in fixtures.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `ping_one.audit.resources[].type` | 2 | varies | no | n/a | `entity.target.*` (type discriminator) | yes | 30 types in fixtures; canonical target classifier |
+| `ping_one.audit.resources[].id` | 2 | varies | no | n/a | `entity.target.id` / `user.target.id` / `service.target.entity.id` | yes | Resource UUID; e.g. user `123abc…` on `USER.CREATED` |
+| `ping_one.audit.resources[].name` | 2 | varies | no | n/a | `entity.target.name` / `user.target.name` | yes | Display name or email; created user `djcdjh` vs actor admin `example@gmail.com` on `USER.CREATED` |
+| `ping_one.audit.resources[].environment.id` | 2 | general | no | n/a | context-only (tenant scope) | no | Environment/tenant boundary for the affected object |
+| `ping_one.audit.resources[].population.id` | 2 | general | no | n/a | context-only | no | Directory population scope on user resources |
+| `url.*` (from resource `href`) | 2 | general | yes | partial | context-only | no | `uri_parts` on `resources[].href` during foreach (L262–269); root-level `url.domain`/`url.path` reflect **last** parsed resource href; `href` stripped from stored resources unless `preserve_duplicate_custom_fields` |
+| `event.action` | 1 | general (iam_operation) | yes | yes | context-only | no | Lowercased `action.type` (e.g. `user.created`, `sign_on_policy.updated` via `action.updated`); names the IAM verb performed |
+| `ping_one.audit.action.description` | 3 | general | no | n/a | context-only | no | Human-readable action label |
+| `ping_one.audit.result.status` / `.description` | 3 | general | partial | yes | context-only | no | `result.status` → `event.outcome`; description vendor-only after duplicate removal |
+| `ping_one.audit.correlation.id` | 3 | general | no | n/a | context-only | no | Transaction correlation across related audit messages |
+
+When `resources[].type` is `USER`, the affected user is the audit target but remains vendor-only — e.g. on `USER.ACCESS_ALLOWED` the actor `user.id` and target `resources[].id` are the **same** identity in 7 fixtures (`sample_event.json`), while on `USER.CREATED` the actor admin (`example@gmail.com`) differs from the created user target (`djcdjh`). Neither case populates `user.target.*` or `destination.user.*`.
+
+### Gaps and mapping notes
+
+- **`event.action` well mapped** — all 99 fixtures populate ECS `event.action` from vendor `action.type` with lowercase normalization; no enhancement needed. Human-readable `ping_one.audit.action.description` is retained vendor-side but not copied to ECS.
+- **No ECS `*.target.*` today** — all affected entities stay in `ping_one.audit.resources[]`. Enhancement: map by `resources[].type` to `user.target.*` (USER), `service.target.*` (APPLICATION, SERVICE), or `entity.target.*` (GROUP, SIGN_ON_POLICY, ENVIRONMENT, etc.).
+- **No `destination.user.*` / `destination.host.*`** — unlike email/auth integrations, PingOne does not use destination fields as de-facto targets; target identity is vendor-only.
+- **`client.user.*` holds application actors** — `actors.client` (OIDC app, Admin Console) maps to ECS `client.user.id/name`, which reads as a human client user in ECS semantics but represents an **application** principal (`Mapping correct?`: partial).
+- **Actor/target conflation risk on self-access events** — `USER.ACCESS_ALLOWED` and some password events have the same user as actor (`user.*`) and target (`resources[]` type USER) with identical IDs; only the actor is promoted to ECS `user.*`.
+- **Admin-create separation works in vendor data** — `USER.CREATED` fixture: actor `user.name=example@gmail.com`, target `resources[].name=djcdjh`; ECS captures actor only.
+- **`related.user` is actor-only** — resource user IDs/names are not appended; unlike GitLab audit, no de-facto target bag in `related.user`.
+- **Actor-absent events (7 fixtures)** — password checks, role assignment, and some config creates omit `actors`; only the affected resource is known — actor identity is genuinely missing from the vendor payload.
+- **Target-fields audit alignment** — classified `none` with no tier-A ECS targets, no destination-identity pipeline, and `pipeline_actor=false` in CSV despite clear `user.*`/`client.user.*` actor mappings in `default.yml`.
+
+### Per-stream notes
+
+#### `ping_one.audit`
+
+Single audit stream collected via REST API polling (`httpjson`) or real-time webhooks (`http_endpoint`). Dual actor model: human `actors.user` → ECS `user.*`; initiating application `actors.client` → ECS `client.user.*`. Targets are always `ping_one.audit.resources[]` (array; one entry in most fixtures). **`event.action`** carries the lowercased PingOne operation (e.g. `user.access_allowed`, `application.created`) from vendor `action.type`; dashboard panels filter on `event.action` for password and access events. IAM configuration changes dominate the fixture set (policies, Authorize objects, applications, populations). Authentication-oriented events (`PASSWORD.*`, `USER.ACCESS_ALLOWED`) use `USER` as target type; source IP/user agent appear on sign-on events only. Resource `href` URLs are parsed to root-level `url.*` then removed from stored vendor fields unless `preserve_duplicate_custom_fields` tag is set.
+
+## Example Event Graph
+
+All examples come from the single **`ping_one.audit`** stream — true PingOne IAM audit logs (Activity Format JSON) collected via REST API polling or HTTP webhook.
+
+### Example 1: Sign-on access allowed
+
+**Stream:** `ping_one.audit` · **Fixture:** `packages/ping_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json` (event `@timestamp` `2025-09-19T15:00:04.408Z`)
+
+```
+User (test@example.com) → user.access_allowed → Application TestAdmin
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `123abcdef-abcd-1234-5678-01234567890` |
+| name | `test@example.com` |
+| type | user |
+| ip | `175.16.199.1` |
+| geo | Changchun, China |
+
+**Field sources:**
+
+- `id ← user.id` ← `ping_one.audit.actors.user.id`
+- `name ← user.email` ← `ping_one.audit.actors.user.name` (dissected to `user.name`/`user.email`)
+- `ip ← source.ip` ← `ping_one.audit.source.ip_address`
+- `geo ← source.geo.city_name, source.geo.country_name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `user.access_allowed` |
+| source_field | `event.action` |
+| source_value | `user.access_allowed` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `123abc123-abcd-1234-5678-efg123abc12` |
+| name | `TestAdmin` |
+| type | service |
+| sub_type | pingone_application |
+
+**Field sources:**
+
+- `id ← client.user.id` ← `ping_one.audit.actors.client.id`
+- `name ← client.user.name` ← `ping_one.audit.actors.client.name`
+- `ping_one.audit.resources[]` echoes the subject user (same ID as actor) — vendor resource typing, not the sign-on service target; only the human actor is promoted to ECS `user.*`.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: test@example.com"] --> E["user.access_allowed"]
+  E --> T["Target: TestAdmin"]
+```
+
+### Example 2: Administrator creates user
+
+**Stream:** `ping_one.audit` · **Fixture:** `packages/ping_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json` (event `@timestamp` `2022-07-13T21:03:54.524Z`)
+
+```
+User (example@gmail.com) → user.created → User (djcdjh)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `123abc123-12ab-1234-1abc-abc123abc12` |
+| name | `example@gmail.com` |
+| type | user |
+
+**Field sources:**
+
+- `id ← user.id` ← `ping_one.audit.actors.user.id`
+- `name ← user.email` ← `ping_one.audit.actors.user.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `user.created` |
+| source_field | `event.action` |
+| source_value | `user.created` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `123abc123-12ab-1234-1abc-abc123abc12` |
+| name | `djcdjh` |
+| type | user |
+
+**Field sources:**
+
+- `id ← ping_one.audit.resources[].id` (type `USER`)
+- `name ← ping_one.audit.resources[].name`
+
+Admin actor (`example@gmail.com`) differs from the created user target (`djcdjh`); ECS captures the actor only — target remains vendor-only in `ping_one.audit.resources[]`.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: example@gmail.com"] --> E["user.created"]
+  E --> T["Target: djcdjh"]
+```
+
+### Example 3: Failed password check (no actor)
+
+**Stream:** `ping_one.audit` · **Fixture:** `packages/ping_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json` (event `@timestamp` `2022-07-07T13:12:36.168Z`)
+
+```
+(unknown) → password.check_failed → User (example@gmail.com)
+```
+
+#### Actor
+
+No actor fields are populated — the vendor payload omits the `actors` block, so ECS `user.*` and `client.user.*` are absent.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `password.check_failed` |
+| source_field | `event.action` |
+| source_value | `password.check_failed` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `123abc123-12ab-1234-1abc-abc123abc12` |
+| name | `example@gmail.com` |
+| type | user |
+
+**Field sources:**
+
+- `id ← ping_one.audit.resources[].id` (type `USER`)
+- `name ← ping_one.audit.resources[].name`
+
+Self-service authentication event — the affected user account is known, but the initiating party is not recorded in the vendor audit payload.
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `ping_one`, single `audit` data stream; Tier A fixtures in `sample_event.json` and `test-pipeline-audit.log-expected.json`). Router: **`data_stream.dataset == "ping_one.audit"`** with secondary **`event.action`** discriminators. Pass 4 v2 is **fill-gaps-only**: detection flags preserve existing `user.*`, `host.*`, `*.target.*`, and `event.action` before fallbacks. Human `actors.user` → ECS `user.*` at ingest; initiating application `actors.client` → ECS `client.user.*` (semantically **general/application**). Targets remain vendor-only in `ping_one.audit.resources[]` until promoted. On **`user.access_allowed`**, Pass 3 target is the initiating **application** (`client.user.*` → `service.target.*`), **not** the self-referential `resources[]` USER row (same ID as actor — tautology guard). **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` identity fallbacks; human **`user.id`**, **`user.name`**, **`user.email`**, and **`user.domain`** are **ingest-only — no ES|QL** (`default.yml` L186–246; no alternate query-time source). **Pass 4 (CASE syntax):** mapped columns use column-level `CASE(<col> IS NOT NULL, <col>, …)` — not `CASE(actor_exists|target_exists|action_exists, <col>, …)`; valid **3-arg** / **5-arg** / **7-arg** forms only — never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a **condition**).
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `ping_one.audit` | IAM audit (all action types) | user, general (application), host | user, service, general | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` (ingest) | `data_stream.dataset == "ping_one.audit"` | high | **ingest-only — no ES\|QL** — `actors.user.id` → `user.id` at ingest; no query-time vendor path |
+| `user.name` | `user.name` (ingest) | `data_stream.dataset == "ping_one.audit"` | high | **ingest-only — no ES\|QL** — pipeline rename/copy; no alternate source |
+| `user.email` | `user.email` (ingest) | `data_stream.dataset == "ping_one.audit"` | high | **ingest-only — no ES\|QL** — dissect when `@` in vendor name at ingest |
+| `user.domain` | `user.domain` (ingest) | `data_stream.dataset == "ping_one.audit"` | high | **ingest-only — no ES\|QL** — dissect from `user.name` at ingest |
+| `entity.id` | `client.user.id` | `data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL` | high | **vendor fallback** — OIDC/worker application principal |
+| `entity.name` | `client.user.name` | `data_stream.dataset == "ping_one.audit" AND client.user.name IS NOT NULL` | high | **vendor fallback**; ingest uses `client.user` namespace |
+| `entity.type` | literal `"application"` | `data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL` | high | **semantic literal** |
+| `entity.sub_type` | literal `"pingone_application"` | `data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL` | high | **semantic literal** |
+| `host.ip` | `source.ip` | `data_stream.dataset == "ping_one.audit" AND source.ip IS NOT NULL` | medium | **vendor fallback** — sign-on client IP (1 fixture) |
+
+**`actor_exists` predicate (tuned):** `user.id`, `user.name`, `user.email`, `host.ip` only — excludes `entity.*` and `client.user.*` so application `entity.id` / `entity.name` can populate alongside human `user.*` when both are present (Pass 3 Example 1).
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.id` | `service.target.id` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** |
+| `service.target.id` | `client.user.id` | `data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.id IS NOT NULL` | high | **vendor fallback** — sign-on application target (Pass 3); **not** `user.target.*` |
+| `service.target.name` | `service.target.name` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** |
+| `service.target.name` | `client.user.name` | `data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.name IS NOT NULL` | high | **vendor fallback** — e.g. `TestAdmin` |
+| `service.target.type` | `service.target.type` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** |
+| `service.target.type` | literal `"pingone_application"` | `data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed"` | high | **semantic literal** |
+| `user.target.id` | `user.target.id` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** |
+| `user.target.id` | `ping_one.audit.resources.id` | `data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed"` | high | **vendor fallback** — USER resource; excludes sign-on tautology |
+| `user.target.name` | `user.target.name` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** |
+| `user.target.name` | `ping_one.audit.resources.name` | same as `user.target.id` row | high | **vendor fallback** |
+| `entity.target.id` | `entity.target.id` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** |
+| `entity.target.id` | `ping_one.audit.resources.id` | `data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed"` | high | **vendor fallback** — APPLICATION config resources |
+| `entity.target.name` | `entity.target.name` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** |
+| `entity.target.name` | `ping_one.audit.resources.name` | same as `entity.target.id` (application prefix) | high | **vendor fallback** |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "ping_one.audit"` | high | **preserve existing** — populated on all 99 fixtures at ingest |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` omits `entity.*` / `client.user.*` so application identity can be promoted to `entity.id` / `entity.name` without blocking on human `user.id`. `target_exists` checks official `*.target.*` only (none at ingest today). **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists|target_exists|action_exists, <col>, …)` — so one populated sibling column does not block fallbacks on empty columns (Pass 4 §10). Ingest-only human `user.*` columns are omitted from actor `EVAL`.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(host.ip IS NOT NULL, host.ip, source.ip, null)` (4 args — `source.ip` is a **condition**, not a value). Wrong: `CASE(actor_exists, host.ip, source.ip, null)` (4 args — `source.ip` parses as condition). Right: **5-arg** `CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "ping_one.audit" AND source.ip IS NOT NULL, source.ip, null)` or **3-arg** `CASE(event.action IS NOT NULL, event.action, null)`.
+
+### Optional classification helpers (when needed)
+
+`entity.target.type` is set in the **target** fallback branch only (never `target.entity.type`):
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed", "service",
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created"), "user",
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application."), "general",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "ping_one.audit" AND client.user.name IS NOT NULL, client.user.name,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, "application",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, "pingone_application",
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "ping_one.audit" AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+`event.action` is populated at ingest on all fixtures; block documents preserve-only behavior.
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    null
+  )
+```
+
+No vendor fallback: `ping_one.audit.action.type` is removed at ingest unless `preserve_duplicate_custom_fields` tag is set (`default.yml` L350–358).
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.id IS NOT NULL, client.user.id,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.name IS NOT NULL, client.user.name,
+    null
+  ),
+  service.target.type = CASE(
+    service.target.type IS NOT NULL, service.target.type,
+    data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed", "pingone_application",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL, ping_one.audit.resources.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL, ping_one.audit.resources.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL, ping_one.audit.resources.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL, ping_one.audit.resources.name,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  entity.id = CASE(entity.id IS NOT NULL, entity.id, data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, client.user.id, null),
+  entity.name = CASE(entity.name IS NOT NULL, entity.name, data_stream.dataset == "ping_one.audit" AND client.user.name IS NOT NULL, client.user.name, null),
+  entity.type = CASE(entity.type IS NOT NULL, entity.type, data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, "application", null),
+  entity.sub_type = CASE(entity.sub_type IS NOT NULL, entity.sub_type, data_stream.dataset == "ping_one.audit" AND client.user.id IS NOT NULL, "pingone_application", null),
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "ping_one.audit" AND source.ip IS NOT NULL, source.ip, null)
+| EVAL
+  event.action = CASE(event.action IS NOT NULL, event.action, null)
+| EVAL
+  service.target.id = CASE(service.target.id IS NOT NULL, service.target.id, data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.id IS NOT NULL, client.user.id, null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed" AND client.user.name IS NOT NULL, client.user.name, null),
+  service.target.type = CASE(service.target.type IS NOT NULL, service.target.type, data_stream.dataset == "ping_one.audit" AND event.action == "user.access_allowed", "pingone_application", null),
+  user.target.id = CASE(user.target.id IS NOT NULL, user.target.id, data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL, ping_one.audit.resources.id, null),
+  user.target.name = CASE(user.target.name IS NOT NULL, user.target.name, data_stream.dataset == "ping_one.audit" AND event.action IN ("user.created", "user.updated", "user.deleted", "password.check_failed", "password.check_succeeded", "password.set", "password.reset", "role_assignment.created") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL, ping_one.audit.resources.name, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.id IS NOT NULL, ping_one.audit.resources.id, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "ping_one.audit" AND STARTS_WITH(event.action, "application.") AND event.action != "user.access_allowed" AND ping_one.audit.resources.name IS NOT NULL, ping_one.audit.resources.name, null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.email, entity.id, entity.name, entity.type, entity.sub_type, host.ip, service.target.id, service.target.name, service.target.type, user.target.id, user.target.name, entity.target.id, entity.target.name
+```
+
+### Streams excluded
+
+None — single audit stream (`ping_one.audit` per `packages/ping_one/data_stream/audit/manifest.yml`).
+
+### Gaps and limitations
+
+- **`ping_one.audit.resources[]` is multivalued** — ES|QL uses flattened paths (`ping_one.audit.resources.id`); multi-resource events may need `MV_FIRST()` or ingest-time promotion.
+- **30 resource types** — only USER lifecycle/password/role-assignment, sign-on `service.target.*`, and `application.*` prefix routing covered; GROUP, SIGN_ON_POLICY, ENVIRONMENT, Authorize objects, etc. omitted to avoid false positives.
+- **Actor-absent events (7 fixtures)** — password checks, role assignment, some config creates; `user.*` intentionally empty; `user.target.*` still promoted from `resources[]` where action matches.
+- **`client.user.*` naming** — ECS field set reads as human client but holds application principals; mapped to `entity.*` (actor) and `service.target.*` (sign-on target).
+- **`user.access_allowed` tautology** — vendor `resources[]` echoes subject user (same ID as `user.id`); `event.action != "user.access_allowed"` on `user.target.*` plus service target from `client.user.*` per Pass 3.
+- **`event.action` ingest-only** — no ES|QL fallback when `action_exists` is false; vendor `ping_one.audit.action.type` stripped post-pipeline.
+- **Pass 2 enhancement alignment** — ingest-time `user.target.*` / `entity.target.*` from `resources[].type` remain preferred; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 tautology cleanup (§10)** — human `user.id` / `user.name` / `user.email` / `user.domain` omitted from actor `EVAL` (ingest-only; no `CASE(col, col, …)`); `entity.*` and `host.ip` use column-level or vendor fallbacks only.
+- **Pass 4 CASE syntax** — all `CASE` use odd-arity defaults (`null`) or paired `(boolean, value)` branches only; column-level **3-arg** / **5-arg** / **7-arg** preserve (`<col> IS NOT NULL`, not `CASE(actor_exists|target_exists|action_exists, <col>, …)`); never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a condition). Full pipeline fragment aligned with combined `EVAL` blocks. Detection flags are query-time helpers only — not used as the first `CASE` branch on mapped columns.
diff --git a/dev/domain/p1/prisma_cloud.md b/dev/domain/p1/prisma_cloud.md
new file mode 100644
index 00000000000..39ce6bf2276
--- /dev/null
+++ b/dev/domain/p1/prisma_cloud.md
@@ -0,0 +1,494 @@
+# prisma_cloud
+
+## Product Domain (Prisma Cloud CSPM/CWPP)
+
+Palo Alto Prisma Cloud is a cloud-native security platform that unifies Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) in a single console. CSPM provides continuous visibility and governance over public cloud infrastructure across AWS, Azure, GCP, Oracle Cloud Infrastructure, and Alibaba Cloud—detecting misconfigurations, policy violations, compliance gaps, and cloud-native risks. CWPP (delivered via Prisma Cloud Compute, formerly Twistlock) extends protection to runtime workloads including Linux, Windows, Kubernetes, Red Hat OpenShift, and serverless functions (AWS Lambda, Azure Functions, GCP Cloud Functions), covering vulnerability management, compliance scanning, anomaly detection, and runtime defense.
+
+Prisma Cloud operates as a SOC enablement platform for hybrid and multi-cloud estates. CSPM evaluates cloud resources against built-in and custom policies, maps findings to compliance frameworks, and surfaces attack-path and network-exposure risks. CWPP deploys Defenders on hosts and containers to scan images, inventory packages and binaries, enforce runtime policies, and detect incidents such as malware, unauthorized processes, and suspicious network activity. Compute can be consumed as a managed tab within Prisma Cloud (CSPM-integrated) or as a self-hosted Prisma Cloud Compute (CWP) deployment.
+
+From a security operations perspective, Prisma Cloud telemetry supports cloud posture management, vulnerability prioritization, compliance reporting, runtime threat detection, and audit of both platform administration and workload incidents. Security teams correlate CSPM alerts and misconfiguration findings with CWPP host scans and incident audits to trace risk from cloud misconfiguration through to active workload compromise.
+
+## Data Collected (brief)
+
+The integration collects Prisma Cloud data via Elastic Agent **CEL/API** (REST) for CSPM and CWPP streams, with optional **TCP/UDP** syslog ingestion for CWPP host-related events. Seven data streams cover the platform:
+
+| Data stream | Module | Description |
+|---|---|---|
+| **alert** | CSPM | Policy violation alerts—cloud resource context, policy metadata, severity, compliance mappings, status, and remediation guidance |
+| **audit** | CSPM | Prisma Cloud console audit logs—administrator login and actions, resource, result, and client IP |
+| **misconfiguration** | CSPM | Per-resource policy scan results—pass/fail status, scanned policies, cloud account/region, and alert severity counts |
+| **vulnerability** | CSPM | CVE findings on cloud and host assets—CVSS, EPSS, CISA KEV, package/version, exploitability, and internet exposure |
+| **host** | CWPP | Host and container scan inventory—OS, packages, binaries, image metadata, vulnerability/compliance distributions, and cloud metadata |
+| **host_profile** | CWPP | Runtime behavioral profiles—observed processes, ports, network connections, and application activity per host |
+| **incident_audit** | CWPP | Runtime security incidents—custom rule triggers, attack types, container/host context, MITRE techniques, and acknowledgment status |
+
+CSPM streams (alert, audit, misconfiguration, vulnerability) poll regional Prisma Cloud API endpoints. CWPP streams (host, host_profile, incident_audit) use the Compute API or syslog forwarding. Events are mapped to ECS fields (`cloud`, `host`, `vulnerability`, `rule`, `event`, etc.) with vendor details under `prisma_cloud.<data-stream>.*`. Elasticsearch transforms enrich misconfiguration and vulnerability data for downstream workflows. Bundled Kibana dashboards visualize alerts, audit activity, host posture, host profiles, incidents, misconfigurations, and vulnerabilities.
+
+## Expected Audit Log Entities
+
+Prisma Cloud exposes two audit-oriented data streams: **`audit`** (CSPM console audit — administrator login and platform actions) and **`incident_audit`** (CWPP runtime incident audit — Defender-detected workload violations, not human admin activity). The remaining five streams (`alert`, `misconfiguration`, `vulnerability`, `host`, `host_profile`) are findings or inventory, not audit logs; actor/target/action semantics below focus on the two audit streams. **`alert`** is audit-adjacent only — it references `modifiedBy` / attribution usernames in `related.user` on cloud-resource findings, but those events are posture alerts, not platform audit records.
+
+Neither audit stream populates ECS `*.target.*` fields or `destination.user.*` / `destination.host.*` (confirmed in `dev/target-fields-audit/out/target_fields_audit.csv`; package absent from `destination_identity_hits.csv`). **`event.action`** is populated on **`audit`** only (`login` from `actionType`); **`incident_audit`** has no `event.action` in fixtures or pipeline — vendor attack/rule fields are action candidates. Analysis grounded in `packages/prisma_cloud/data_stream/*/sample_event.json`, `*-expected.json`, `fields/fields.yml`, and ingest pipelines.
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **audit** | yes (`login`) | yes | `prisma_cloud.audit.action.type` ← `json.actionType` | high | All 5 fixtures + `sample_event.json`; `audit/default.yml` L116–147 |
+| **incident_audit** | no | no | `prisma_cloud.incident_audit.data[].attack.type` (e.g. `cloudMetadataProbing`) | high | `sample_event.json`, `test-incident-audit.log-expected.json`; mapped to `threat.technique.subtechnique.name` only (L158–171) |
+| **alert** | no | no | n/a — posture finding, not audit verb | — | `event.category`/`event.type` only; no operation field |
+| **misconfiguration** | no | no | n/a — scan result sync | — | Policy pass/fail inventory |
+| **vulnerability** | no | no | n/a — CVE finding sync | — | Vulnerability inventory |
+| **host** | no | no | n/a — host inventory sync | — | CWPP asset state |
+| **host_profile** | no | no | n/a — behavioral profile sync | — | Runtime profile inventory |
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `login` | authentication | high | `event.action: login` in all **`audit`** fixtures; vendor `actionType: LOGIN` | Only action type in package tests; pipeline lowercases and hyphen-joins multi-word types (e.g. `USER CREATE` → `user-create`) |
+| `cloudMetadataProbing` | detection | high | `prisma_cloud.incident_audit.data[].attack.type` in **`incident_audit`** fixture | Runtime attack sub-type; describes violation class, not enforcement effect |
+| `exploitationForPrivilegeEscalation` | detection | high | `data[].attack.techniques[]` → `threat.technique.name` | MITRE-style technique label; alternate action candidate |
+| Rule trigger (e.g. `Rule xyz`) | detection | medium | `prisma_cloud.incident_audit.custom_rule_name`, `data[].rule_name` → `rule.name` | Custom runtime rule that fired; policy name rather than attack taxonomy |
+| `block` / `prevent` | configuration_change | low | `data[].effect[]` in fixture | Enforcement outcome on the rule, not the detected activity — context only |
+
+**`audit`** fixtures cover LOGIN only; production CSPM audit API supports additional `actionType` values (policy edits, user management, etc.) not represented in tests. **`incident_audit`** records runtime detections — the verb is the attack/violation type, not a human admin operation. Inventory streams (`host`, `host_profile`, `misconfiguration`, `vulnerability`) have no per-event action.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `prisma_cloud.audit.action.type` | yes (via pipeline) | yes | `login` (from `LOGIN`) | no | `json.actionType` rename (L116–119) → lowercase to `event.action` (L120–147); retained only with `preserve_duplicate_custom_fields` tag |
+| `prisma_cloud.audit.action.value` | no | n/a | — (free-text narrative) | no | Human-readable description (*"logged in via access key"*); not suitable as normalized action |
+| `event.category` (`authentication`) | no | n/a | — | no | Derived from action type containing login/logout (L148–153); category, not action |
+| `prisma_cloud.incident_audit.data[].attack.type` | no | n/a | `cloudMetadataProbing` | yes | Vendor attack sub-type; today → `threat.technique.subtechnique.name` (L158–171) |
+| `prisma_cloud.incident_audit.data[].attack.techniques[]` | no | n/a | `exploitationForPrivilegeEscalation` | yes (alternate) | → `threat.technique.name` (L134–151); broader technique label |
+| `prisma_cloud.incident_audit.custom_rule_name` | no | n/a | `Rule xyz` (placeholder) | yes (alternate) | → `rule.name` (L603–612); rule/policy name, not attack taxonomy |
+| `prisma_cloud.incident_audit.data[].rule_name` | no | n/a | `string` (placeholder) | yes (alternate) | Nested audit row rule name → `rule.name` (L482–492) |
+| `prisma_cloud.incident_audit.data[].type[]` | no | n/a | `processes` | no | Audit artifact discriminator (process/network/filesystem/kubernetes), not the security action |
+| `prisma_cloud.incident_audit.type` | no | n/a | `host` | no | Envelope workload scope (host/container/function), not an operation verb |
+| `prisma_cloud.incident_audit.category` | no | n/a | `malware` | no | → `event.category` when contains malware (L556–560); category, not action |
+| `prisma_cloud.incident_audit.data[].effect[]` | no | n/a | `block`, `prevent` | no | Rule enforcement effect; outcome context, not detected activity |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Prisma Cloud administrator or API access-key principal | user | — | high | `json.user` → `prisma_cloud.audit.user`; email-shaped values → `user.email`/`user.name`/`user.domain` via dissect; role context in `prisma_cloud.audit.action.value` (*"with role 'System Admin':'System Admin'"*); `related.user` holds local-part and full identifier | **`audit`** — all five pipeline fixtures and `sample_event.json` (`john.user@google.com`) |
+| Client source IP (login origin) | host | — | medium | `json.ipAddress` → `prisma_cloud.audit.ip_address` → `host.ip`, `related.ip` when present and not `"RedLock Internal IP"` | **`audit`** — network origin of the session; absent when IP is internal placeholder or omitted (fixtures 2–3, 5) |
+| Offending workload process | general | process | high | `prisma_cloud.incident_audit.data[].process_path`, `pid`, `command`, `interactive`; fixture `type: ["processes"]` | **`incident_audit`** — runtime violator; not mapped to ECS `process.*` |
+| OS/service account on workload | user | — | moderate | `prisma_cloud.incident_audit.data[].user` (*"Service user"* per `fields.yml`) → `related.user` only | **`incident_audit`** — supplementary identity of the process owner; no ECS `user.*` promotion |
+
+Four of five **`audit`** fixtures include `user`; one omits it entirely (IP-only failed login with `resourceName`/`resourceType` still set). **`incident_audit`** has no Prisma Cloud console administrator or API caller — incidents are Defender runtime detections on protected workloads.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.email` / `user.name` / `user.domain` | Human/API principal | yes (4/5 audit fixtures) | yes | high | `json.user` rename → `prisma_cloud.audit.user`; `copy_from` + dissect when `@` present (`audit/default.yml` L77–97) |
+| `prisma_cloud.audit.user` | Canonical actor identifier | yes (vendor retained with tag) | yes | high | Raw vendor user string; preserved when `preserve_duplicate_custom_fields` tag set |
+| `related.user` | Actor enrichment bag | yes | yes | high | Appends `user.name` and full `prisma_cloud.audit.user` (L98–109) |
+| `host.ip` | Client source IP | partial | no | medium | `json.ipAddress` → `prisma_cloud.audit.ip_address` → `host.ip` (L54–70); semantically a **client** IP, not the host running the event — should be `source.ip` |
+| `related.ip` | Client source IP (related bag) | partial | yes | medium | Same pipeline step as `host.ip` (L71–76) |
+| `prisma_cloud.audit.ip_address` | Client source IP (vendor) | yes | yes | high | Vendor canonical; removed unless `preserve_duplicate_custom_fields` |
+| `prisma_cloud.audit.action.value` | Actor role/context (free text) | yes (vendor-only) | n/a | high | Embeds role names (*System Admin*) and auth method (*access key*); not parsed to ECS |
+| `prisma_cloud.incident_audit.data[].process_path` / `.pid` / `.command` | Offending process | no (vendor-only) | n/a | high | Process identity stays under vendor `data[]`; no ECS `process.*` mapping |
+| `prisma_cloud.incident_audit.data[].user` | Workload service user | partial | partial | moderate | Appended to `related.user` only (`incident_audit/default.yml` L513–517); describes process owner, not a security principal |
+| `related.user` (incident) | Workload user bag | partial | partial | moderate | Holds `data[].user` values only; no console actor |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | SaaS platform or runtime enforcement surface | Prisma Cloud CSPM console/API; Prisma Cloud Compute (Defender) | service | — | medium | No `cloud.service.name` in either audit pipeline; platform inferred from integration context and `event.category` (`authentication` on login; `malware` on incident fixture) | Layer 1 is implicit — not mapped to ECS |
+| 2 — Resource / object | Configuration object or protected workload | Login session/user account; host, container, or function under enforcement | varies | see below | high | **`audit`:** `prisma_cloud.audit.resource.type`/`name` (`Login` / email in all fixtures). **`incident_audit`:** envelope `type` (`host`, `container`, `function`) plus `hostname`, `container.*`, `function.*`, `resource_id`, `vm_id`, `cloud.*` | Primary acted-upon entity |
+| 3 — Content / artifact | Violation detail or outcome text | Process/file/network artifact; rule outcome; login result | general | process, file, network_peer, runtime_rule, audit_outcome | high | **`incident_audit`:** `data[].type` discriminator (`processes`, `network`, `kubernetes`, `filesystem`); `custom_rule_name`, `effect`, `attack.*`. **`audit`:** `prisma_cloud.audit.result` → `event.outcome`; free-text `action.value` | Layer 3 nested under Layer 2 workload or login event |
+
+**Layer 2 detail by stream:**
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence |
+| --- | --- | --- | --- | --- |
+| User account / login session (`resourceType: Login`) | user | — | high | `prisma_cloud.audit.resource.name` = `john.user@google.com`; actor and target are the same identity on login events in all audit fixtures |
+| CSPM configuration object (inferred) | general | platform_resource | medium | API supports arbitrary `resourceType`/`resourceName`; only `Login` present in package tests |
+| Protected host (`type: host`) | host | — | high | `prisma_cloud.incident_audit.hostname` → `host.hostname`; `fqdn` → `host.domain`; `vm_id`, `resource_id`, `cloud.account.id`/`provider`/`region` |
+| Protected container (`type: container` or `data[].container.value: true`) | general | container | high | `container.id`, `container.name`, `container.image.name` from envelope and `data[]` (`container123`, `nginx`, `docker.io/library/nginx:latest`) |
+| Serverless function (`type: function`) | general | serverless_function | high | `prisma_cloud.incident_audit.function.id`/`.value`, `runtime`, `data[].request_id` (`fields.yml`; placeholder fixtures) |
+| Runtime custom rule (enforcement policy) | general | runtime_rule | high | `custom_rule_name`, `data[].rule_name` → `rule.name`; `effect` (`block`, `prevent`); not the acted-upon workload |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `prisma_cloud.audit.resource.type` | 2 | varies | no | n/a | `entity.target.type` | yes | `Login` in all audit fixtures; discriminator for non-login mutations in production |
+| `prisma_cloud.audit.resource.name` | 2 | user (login) | no | n/a | `user.target.email` / `user.target.name` | yes | Login target email; same value as actor on authentication events |
+| `prisma_cloud.audit.action.value` | 3 | general | no | n/a | context-only | no | Human-readable action including role and method |
+| `prisma_cloud.audit.result` / `event.outcome` | 3 | general | partial | yes | context-only | no | Outcome of login attempt (`success`/`failure`) |
+| `host.hostname` / `host.domain` | 2 | host | yes | yes | `host.target.hostname` / `host.target.domain` | yes | Incident envelope + `data[].fqdn`/`hostname` → ECS host fields (`incident_audit/default.yml` L618–654, L249–275) |
+| `container.id` / `container.name` / `container.image.name` | 2 | general | yes | yes | `entity.target.id` / container fields | yes | Envelope and nested `data[]` container context (L582–601, L204–335) |
+| `prisma_cloud.incident_audit.function.id` / `.value` | 2 | general | no | n/a | `entity.target.id` / `service.target.entity.id` | yes | Serverless function scope; vendor-only at envelope level |
+| `prisma_cloud.incident_audit.resource_id` / `.vm_id` | 2 | host | no | n/a | `entity.target.id` | yes | Cloud resource identifiers; vendor-only |
+| `cloud.account.id` / `cloud.provider` / `cloud.region` | 2 | general | partial | yes | context-only (cloud scope) | no | Tenancy/region of affected workload, not the target entity itself |
+| `prisma_cloud.incident_audit.data[].process_path` / `.filepath` / `.md5` | 3 | general | no | n/a | `entity.target.name` (artifact) | yes | Process or file under inspection; vendor-only |
+| `prisma_cloud.incident_audit.data[].ip` / `.port` / `.domain` | 3 | general | partial | partial | `destination.ip` / `destination.domain` (de-facto) | yes | Fields.yml: *"connection destination"*; `ip` → `related.ip` only (L358–379) — network peer/target not promoted to `destination.*` |
+| `rule.name` / `threat.technique.*` | 3 | general | partial | yes | context-only | no | Policy and MITRE context for the violation, not the acted-upon entity |
+| `prisma_cloud.incident_audit.custom_rule_name` | 3 | general | no | n/a | context-only | no | Runtime rule name; duplicated to `rule.name` then vendor field removed unless tag set |
+
+### Gaps and mapping notes
+
+- **No ECS `*.target.*` today** — neither stream maps acted-upon entities to official target fields. `target-fields-audit` classifies `prisma_cloud` as `moderate_candidate` with `ecs_target_tierA_audit=false`, `pipeline_dest_identity=false`, `pipeline_actor=false` (despite clear `user.*` actor mapping on **`audit`**), `fixture_strong=true`.
+- **`event.action` gap on `incident_audit`** — vendor `data[].attack.type` (`cloudMetadataProbing`) and `custom_rule_name` clearly name the detected activity but map to `threat.technique.*` / `rule.name` only; recommend copying `attack.type` to `event.action` as primary candidate.
+- **No `destination.user.*` / `destination.host.*`** — package absent from `destination_identity_hits.csv`. Network destination fields in **`incident_audit`** (`data[].ip`, `.port`, `.domain`) stay vendor-only or `related.ip`; enhancement candidate for de-facto `destination.*` → `host.target.*` / network target migration.
+- **`host.ip` misused for client source on `audit`** — client login IP mapped to `host.ip` instead of `source.ip` (`Mapping correct?`: no); conflates session origin with host identity.
+- **Login actor/target conflation on `audit`** — same email populates `user.*` (actor) and `prisma_cloud.audit.resource.name` (target) on LOGIN events; only actor is promoted to ECS `user.*`.
+- **Role context vendor-only** — admin role names appear in `prisma_cloud.audit.action.value` free text, not in `user.roles` or a structured vendor field.
+- **`incident_audit` envelope vs `data[]` nesting** — incident-level host/container/function scope coexists with per-audit detail rows; correlate via `prisma_cloud.incident_audit._id` / `data[]._id` and `data[].type` discriminators.
+- **Non-login CSPM audit targets unverified** — fixtures cover LOGIN only; production mutations (policies, accounts, users) require live `resourceType`/`resourceName` values.
+- **`alert` stream (audit-adjacent)** — `modifiedBy` and attribution usernames append to `related.user`; misconfigured cloud resource is the finding target under `prisma_cloud.alert.resource.*` with optional `cloud.service.name` — not an audit log entity.
+
+### Per-stream notes
+
+#### `prisma_cloud.audit`
+
+CSPM console audit collected via CEL/API polling. Human administrator or API access-key holder is the actor (`user.*` when email-shaped). Client IP optionally enriches `host.ip`/`related.ip`. `actionType` → `event.action` (`login`) with `event.category: authentication`. All fixtures are failed/successful LOGIN attempts targeting the same user email in `resource.name`. No `cloud.service.name`, `source.ip`, or ECS target fields.
+
+#### `prisma_cloud.incident_audit`
+
+CWPP runtime incident audit via Compute API or syslog. No platform admin actor — the violator is the workload process (`data[].process_path`) with optional OS service user in `related.user`. No `event.action`; primary action candidate is `data[].attack.type` (`cloudMetadataProbing`). Incident envelope scopes host/container/function; nested `data[]` rows carry type-specific artifacts (process, network, filesystem, kubernetes). Workload identity maps to ECS `host.*`, `container.*`, `cloud.*`, and `rule.name`/`threat.technique.*`; process/file/network targets remain vendor-only. Category `malware` set when envelope `category` contains malware.
+
+## Example Event Graph
+
+Examples below come from the two audit-oriented streams — **`prisma_cloud.audit`** (CSPM console audit logs) and **`prisma_cloud.incident_audit`** (CWPP runtime incident audit). Both are true audit records; the remaining five streams are findings or inventory and have no per-event Actor → action → Target chain.
+
+### Example 1: Successful CSPM console login
+
+**Stream:** `prisma_cloud.audit` · **Fixture:** `packages/prisma_cloud/data_stream/audit/sample_event.json`
+
+On LOGIN events, vendor `resourceName` repeats the user email — repeating that as the graph target would read “user logs in to themselves.” The natural reading is: a **user authenticates to the Prisma Cloud CSPM console**; the vendor login resource is session metadata, not a distinct target identity.
+
+```
+Administrator (john.user@google.com) → login → Prisma Cloud CSPM console (service)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | john.user@google.com |
+| name | john.user |
+| type | user |
+| ip | 81.2.69.192 |
+
+**Field sources:**
+
+- `id` ← `user.email`, `prisma_cloud.audit.user`
+- `name` ← `user.name`
+- `ip` ← `host.ip`, `prisma_cloud.audit.ip_address` (client login origin; mapped to `host.ip` today, not `source.ip`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | login |
+| source_field | `event.action` |
+| source_value | login |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Prisma Cloud CSPM console |
+| type | service |
+
+**Field sources:**
+
+- `name` ← semantic — SaaS platform being authenticated to; **not indexed** in fixture (`cloud.service.name` absent; `prisma_cloud.audit.resource.name` repeats the user email)
+- `type` ← service — authentication target is the CSPM console, not the user account
+
+**Scope context (not target):** vendor login resource `prisma_cloud.audit.resource.name: john.user@google.com` with `resource.type: Login`; role `System Admin` appears in `prisma_cloud.audit.action.value`.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: john.user@google.com"] --> E["login"]
+  E --> T["Target: Prisma Cloud CSPM console"]
+```
+
+### Example 2: Failed CSPM login from client IP (no user field)
+
+**Stream:** `prisma_cloud.audit` · **Fixture:** `packages/prisma_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json` (fixture 5)
+
+```
+Client IP (81.2.69.142) → login → Prisma Cloud CSPM console (service)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 81.2.69.142 |
+| type | host |
+| ip | 81.2.69.142 |
+
+**Field sources:**
+
+- `id` ← `host.ip`, `prisma_cloud.audit.ip_address`
+- `ip` ← `host.ip`, `related.ip`
+
+This fixture omits `json.user`; the only identity signal is the client source IP. No ECS `user.*` fields are populated.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | login |
+| source_field | `event.action` |
+| source_value | login |
+
+`event.outcome` is `failure` (`prisma_cloud.audit.result`: `fail`).
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Prisma Cloud CSPM console |
+| type | service |
+
+**Field sources:**
+
+- `name` ← semantic — SaaS platform being authenticated to; **not indexed** in fixture (`cloud.service.name` absent)
+- `type` ← service — failed login attempt against the CSPM console
+
+**Scope context (not target):** attempted account `john.user@google.com` in `prisma_cloud.audit.resource.name` and `prisma_cloud.audit.action.value`; vendor `resource.type: Login`.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 81.2.69.142"] --> E["login (failure)"]
+  E --> T["Target: Prisma Cloud CSPM console"]
+```
+
+### Example 3: CWPP runtime cloud-metadata probing on container
+
+**Stream:** `prisma_cloud.incident_audit` · **Fixture:** `packages/prisma_cloud/data_stream/incident_audit/sample_event.json`
+
+```
+Workload process (pid 0 on nginx container) → cloudMetadataProbing → Protected host/container (gke-tp-cluster… / nginx)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | string |
+| type | general |
+| sub_type | process |
+
+**Field sources:**
+
+- `id` ← `prisma_cloud.incident_audit.data[].process_path` (placeholder value `string` in fixture)
+- `sub_type` ← `prisma_cloud.incident_audit.data[].type` (`processes`)
+
+No Prisma Cloud console administrator is present — the violator is the runtime process detected by Defender. Process identity stays vendor-only; no ECS `process.*` mapping today.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | cloudMetadataProbing |
+| source_field | `prisma_cloud.incident_audit.data[].attack.type` |
+| source_value | cloudMetadataProbing |
+
+**Not mapped to ECS `event.action` today** — pipeline copies this value to `threat.technique.subtechnique.name` only. Custom rule `Rule xyz` (`rule.name`) and MITRE technique `exploitationForPrivilegeEscalation` (`threat.technique.name`) provide additional context.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | gke-tp-cluster-tp-pool1-9658xxxx-j87v |
+| name | nginx |
+| type | host |
+| sub_type | container |
+
+**Field sources:**
+
+- `id` ← `prisma_cloud.incident_audit.data[].hostname`, `host.hostname`
+- `name` ← `container.name` (`nginx`), `prisma_cloud.incident_audit.data[].container.name`
+- `sub_type` ← envelope `prisma_cloud.incident_audit.type` (`host`) with nested `data[].container.value: true` and `container.id: container123`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: workload process"] --> E["cloudMetadataProbing"]
+  E --> T["Target: nginx on gke host"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (CEL/API and optional syslog; Tier A fixtures). Router: **`data_stream.dataset`** per `manifest.yml` — seven streams; actor/target/action extraction applies only to **`prisma_cloud.audit`** and **`prisma_cloud.incident_audit`**. Five findings/inventory streams are excluded. Neither stream indexes ECS `*.target.*` today; login events use a **service** semantic target (Pass 3), not `prisma_cloud.audit.resource.name` (actor/target tautology). Pass 4 is **fill-gaps-only**; every `CASE` uses valid **5-arg** (`CASE(<col> IS NOT NULL, <col>, data_stream.dataset == "…", <fallback>, null)`) or **7-arg** multi-branch forms — never **4-arg** `CASE(actor_exists, col, bare_field, null)` / `CASE(target_exists, col, bare_field, null)` where the bare field parses as a **condition**, not a fallback value. Mapped columns use **column-level preserve** (`<col> IS NOT NULL`), not `CASE(actor_exists, …)` / `CASE(target_exists, …)`, so `actor_exists` true from `user.email` does not skip `user.id` fallback and one populated `*.target.*` column does not block sibling target fallbacks. Client login IP is ingest-only as `host.ip` (misnamed client origin) — **omit from ES|QL**.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `prisma_cloud.audit` | CSPM console audit | user, host | service | full |
+| `prisma_cloud.incident_audit` | CWPP runtime audit | general (process) | host, general (container) | full |
+| `prisma_cloud.alert` | posture finding | — | — | none |
+| `prisma_cloud.misconfiguration` | scan state | — | — | none |
+| `prisma_cloud.vulnerability` | CVE sync | — | — | none |
+| `prisma_cloud.host` | inventory | — | — | none |
+| `prisma_cloud.host_profile` | profile sync | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.email` | `data_stream.dataset == "prisma_cloud.audit" AND user.email IS NOT NULL` | high | column-level preserve (`user.id IS NOT NULL`); fallback copies email as id — `actor_exists` can be true from email while `user.id` is empty |
+| `user.name` | `user.name` | `data_stream.dataset == "prisma_cloud.audit"` | high | **ingest-only — no ES\|QL** (dissect from `prisma_cloud.audit.user` at ingest) |
+| `user.email` | `user.email` | `data_stream.dataset == "prisma_cloud.audit"` | high | **ingest-only — no ES\|QL** (`copy_from` `prisma_cloud.audit.user`) |
+| `user.domain` | `user.domain` | `data_stream.dataset == "prisma_cloud.audit"` | high | **ingest-only — no ES\|QL** (dissect at ingest) |
+| `host.ip` | `host.ip` | `data_stream.dataset == "prisma_cloud.audit"` | medium | **ingest-only — no ES\|QL** (`prisma_cloud.audit.ip_address` → `host.ip`; vendor IP removed unless `preserve_duplicate_custom_fields`) |
+| `entity.name` | `prisma_cloud.incident_audit.data.process_path` | `data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.process_path IS NOT NULL` | high | column-level preserve; vendor fallback — offending process; `data` is an array of objects flattened by ES\|QL to multi-value; fixture has one element so direct field reference is safe |
+| `entity.type` | `"process"` | `data_stream.dataset == "prisma_cloud.incident_audit"` | high | column-level preserve; semantic literal in fallback |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `"Prisma Cloud CSPM console"` | `data_stream.dataset == "prisma_cloud.audit" AND event.action == "login"` | high | column-level preserve; semantic literal — Pass 3; not `user.target.*` from `resource.name` |
+| `host.target.name` | `MV_FIRST(container.name)` | `data_stream.dataset == "prisma_cloud.incident_audit" AND container.name IS NOT NULL` | high | column-level preserve; `container.name` is multi-value in fixtures (envelope `containerName` + `data[].containerName` both appended); `MV_FIRST` selects the envelope-level name |
+| `host.target.name` | `host.hostname` | `data_stream.dataset == "prisma_cloud.incident_audit" AND host.hostname IS NOT NULL` | high | column-level preserve; fallback when no container name — protected node hostname |
+| `entity.target.id` | `container.id` | `data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL` | high | column-level preserve; `container.id` is scalar (envelope `containerID` set via `copy_from`); fallback to `container.id` |
+| `entity.target.sub_type` | `"container"` | `data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL` | high | column-level preserve; classification literal in fallback only |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | `data_stream.dataset == "prisma_cloud.audit"` | high | **ingest-only — no ES\|QL** (`actionType` → `event.action` at ingest) |
+| `event.action` | `prisma_cloud.incident_audit.data.attack.type` | `data_stream.dataset == "prisma_cloud.incident_audit"` | high | column-level preserve; vendor fallback — `data.attack.type` is the flattened multi-value path (no `[]`); not mapped at ingest today |
+
+**Detection predicate:** `actor_exists` includes `entity.id` / `entity.name` because **`incident_audit`** actors are general (process), not `user.*`. `target_exists` uses official `*.target.*` columns only (none populated in fixtures). Pass 4 omits ingest-only actor columns (`user.name`, `user.email`, `user.domain`, `host.ip`) and audit `event.action` from `EVAL` per rules #10/#11.
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers only. Actor/target/action `EVAL` blocks use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` — not `CASE(actor_exists, user.id, user.email, null)` (4 args — `user.email` is a condition) or `CASE(target_exists, host.target.name, container.name, null)` when `service.target.name` alone is set.
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Use **5-arg** `CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "…", user.email, null)` — not **4-arg** `CASE(actor_exists, user.id, user.email, null)` or `CASE(user.id IS NOT NULL, user.id, user.email, null)` (3rd arg `user.email` is a **condition**, not a value).
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "prisma_cloud.audit" AND user.email IS NOT NULL, user.email,
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.process_path IS NOT NULL, prisma_cloud.incident_audit.data.process_path,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "prisma_cloud.incident_audit", "process",
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.attack.type IS NOT NULL, prisma_cloud.incident_audit.data.attack.type,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "prisma_cloud.audit" AND event.action == "login", "Prisma Cloud CSPM console",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.name IS NOT NULL, MV_FIRST(container.name),
+    data_stream.dataset == "prisma_cloud.incident_audit" AND host.hostname IS NOT NULL, host.hostname,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL, container.id,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL, "container",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "prisma_cloud.audit" AND user.email IS NOT NULL, user.email, null),
+  entity.name = CASE(entity.name IS NOT NULL, entity.name, data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.process_path IS NOT NULL, prisma_cloud.incident_audit.data.process_path, null),
+  entity.type = CASE(entity.type IS NOT NULL, entity.type, data_stream.dataset == "prisma_cloud.incident_audit", "process", null),
+  event.action = CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "prisma_cloud.incident_audit" AND prisma_cloud.incident_audit.data.attack.type IS NOT NULL, prisma_cloud.incident_audit.data.attack.type, null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "prisma_cloud.audit" AND event.action == "login", "Prisma Cloud CSPM console", null),
+  host.target.name = CASE(host.target.name IS NOT NULL, host.target.name, data_stream.dataset == "prisma_cloud.incident_audit" AND container.name IS NOT NULL, MV_FIRST(container.name), data_stream.dataset == "prisma_cloud.incident_audit" AND host.hostname IS NOT NULL, host.hostname, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL, container.id, null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "prisma_cloud.incident_audit" AND container.id IS NOT NULL, "container", null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.email, entity.name, entity.type, service.target.name, host.target.name, entity.target.id, entity.target.sub_type
+```
+
+### Streams excluded
+
+- **`prisma_cloud.alert`**, **`misconfiguration`**, **`vulnerability`**, **`host`**, **`host_profile`** — findings/inventory; no per-event actor/target/action audit chain (Pass 2).
+
+### Gaps and limitations
+
+- **Ingest-only actor fields on `audit`** — `user.name`, `user.email`, `user.domain`, and `host.ip` are populated at ingest with no alternate query-time source; omitted from `EVAL` (rules #10/#11). **`user.id`** uses column-level preserve and `user.email` fallback because `actor_exists` can be true while `user.id` is still empty.
+- **`event.action` on `audit`** — ingest-only; `EVAL` applies only to `incident_audit` vendor fallback.
+- **`host.ip` vs `source.ip` on audit** — client login IP mis-mapped at ingest; no ES|QL rename (`prisma_cloud.audit.ip_address` removed at ingest by default).
+- **`prisma_cloud.audit.resource.name`** — repeats user email on LOGIN; intentionally omitted from `user.target.*` (service literal instead).
+- **`incident_audit.data` array flattening** — `prisma_cloud.incident_audit.data` is an array of audit-row objects; after ingest, ES|QL flattens it to multi-value fields (`prisma_cloud.incident_audit.data.process_path`, `prisma_cloud.incident_audit.data.attack.type`, etc.). The `[]` notation is invalid in ES|QL — use bare dot-path. Fixture has one element; `MV_FIRST()` can be used when single-value semantics are required but direct use is also valid.
+- **`container.name` multi-value** — the pipeline appends both envelope `containerName` and each `data[].containerName` into `container.name`, yielding a multi-value field (e.g., `["nginx", "Example Container"]` in fixtures). `MV_FIRST(container.name)` selects the envelope-level name as the primary target identifier.
+- **`entity.target.name` from `data.domain`** — network peer target omitted (medium confidence; vendor-only at ingest; `data.domain` is multi-value after flattening).
+- **Non-login CSPM audit targets** — fixtures cover LOGIN only; production `resource.type` / `resource.name` need live validation before `entity.target.*` routing.
+- **Pass 4 CASE syntax** — all `CASE` in actor/target/action blocks use column-level **5-arg** / **7-arg** preserve (`<col> IS NOT NULL` first branch); never **4-arg** `CASE(actor_exists, col, vendor_field, null)` or `CASE(col IS NOT NULL, col, vendor_field, null)` (bare field as 3rd arg is a condition). Detection flags are helpers only; do not gate `user.id` on `actor_exists` when `user.email` alone satisfies the flag.
+- **`rule.name` / `threat.technique.*`** — violation context only; not mapped to target columns.
diff --git a/dev/domain/p1/qualys_vmdr.md b/dev/domain/p1/qualys_vmdr.md
new file mode 100644
index 00000000000..501c9eebb4d
--- /dev/null
+++ b/dev/domain/p1/qualys_vmdr.md
@@ -0,0 +1,466 @@
+# qualys_vmdr
+
+## Product Domain
+
+Qualys Vulnerability Management, Detection and Response (VMDR) is a cloud-based vulnerability management platform from Qualys. It provides continuous visibility into security weaknesses across an organization's IT assets—on-premises hosts, cloud workloads, and containers—by identifying, prioritizing, and tracking vulnerabilities before they can be exploited. VMDR sits in the security and IT operations domain as a centralized system for vulnerability assessment, risk scoring, and remediation workflow.
+
+The platform discovers and scans assets using Qualys Cloud Agents, internal scanners, and external scanners, then correlates findings against Qualys's vulnerability knowledge base (QIDs). Key capabilities include CVE and CVSS-based risk scoring, Qualys Detection Score (QDS) prioritization, MITRE ATT&CK mapping, threat intelligence correlation, PCI compliance flags, and remediation guidance. Asset host detections can include cloud provider metadata (AWS, Azure, GCP, Alibaba Cloud) for cloud security posture use cases.
+
+Typical use cases include vulnerability prioritization and remediation tracking for security teams, compliance reporting (e.g., PCI), cloud security posture management (CDR), and audit of platform user activity. Security operations teams use VMDR data to correlate findings with other telemetry, track remediation status over time, and focus patching efforts on the highest-risk vulnerabilities across the estate.
+
+## Data Collected (brief)
+
+This integration collects data from Qualys VMDR via REST API into three data streams: **Asset Host Detection** (per-host vulnerability findings enriched with knowledge base details such as CVEs, CVSS, solutions, and threat intel), **Knowledge Base** (vulnerability reference records keyed by QID), and **User Activity** (audit log of user actions within the Qualys platform). Elastic Agent polls these APIs on configurable intervals and maps findings to ECS vulnerability and host fields.
+
+## Expected Audit Log Entities
+
+Only the **user_activity** stream is a true audit log: it exports the Qualys User Activity Log API (`/api/2.0/fo/activity_log/`) and records who did what inside the VMDR console/API (`Action`, `Module`, `Details`, user identity). **asset_host_detection** and **knowledge_base** are vulnerability inventory and reference sync, not audit trails; actor/target semantics below describe inventory subjects where useful. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated in any stream (confirmed in package pipelines, fixtures, and `dev/target-fields-audit/out/target_fields_audit.csv`). The package does not appear in `destination_identity_hits.csv` — no `destination.user.*` or `destination.host.*` pipeline mappings. Prior audit scan: `target_enhancement_packages.csv` row `qualys_vmdr,none,false,...` (no enhancement signals).
+
+**Event action (Step 2b per stream):**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **user_activity** | yes | yes — `Action` → `event.action` (L57–60) | `qualys_vmdr.user_activity.Action` (already mapped) | high | `login`, `request`, `set`, `add`, `create` in `sample_event.json`, `test-yes-preserve-custom.log-expected.json` |
+| **asset_host_detection** | no | no | n/a — no per-event action (finding sync) | high | Static `event.kind: alert`, `event.category: vulnerability`; vendor `vulnerability.status`/`type` describe finding state, not audit verbs |
+| **knowledge_base** | no | no | n/a — no per-event action (reference catalog sync) | high | Static `event.kind: alert`, `event.category: vulnerability`; QID records synced, not user operations |
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `login` | authentication | high | `event.action: "login"`, `message: "user_logged in"`, `event.provider: "auth"` | **user_activity** — console/API session start |
+| `request` | api_call | high | `event.action: "request"`, `message: "API: /api/2.0/fo/activity_log/index.php"` | **user_activity** — REST API invocation against Qualys |
+| `set` | configuration_change | high | `event.action: "set"`, `message: "comment=[vvv] for 11.11.11.4"`, `event.provider: "host_attribute"` | **user_activity** — host attribute update |
+| `add` | configuration_change | high | `event.action: "add"`, `message: "11.11.11.4 added to both VM-PC license"`, `event.provider: "option"` | **user_activity** — license/option change |
+| `create` | configuration_change | high | `event.action: "create"`, `message: "New Network: 'abc'"`, `event.provider: "network"` | **user_activity** — VMDR network creation |
+| (no per-event action) | detection / inventory | high | `event.kind: alert`, `event.category: [vulnerability]` only | **asset_host_detection**, **knowledge_base** — state sync, not auditable operations |
+
+Pipeline derives `event.category` and `event.type` from `event.action` on **user_activity** only: `login` → `authentication`/`info`; `request` → `api`/`info`; `add`/`set`/`create` → `configuration` with `change` or `creation` type (L136–175).
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | yes (**user_activity**) | yes | `login`, `request`, `set`, `add`, `create` | no | `set` from `qualys_vmdr.user_activity.Action` (`user_activity/.../default.yml` L57–60) |
+| `qualys_vmdr.user_activity.Action` | yes (via copy to ECS) | yes | same as above | no | Vendor canonical; retained when `preserve_duplicate_custom_fields` tag set |
+| `event.provider` | no | n/a | n/a — module context, not verb | yes (composite only) | `Module` → `event.provider` (L61–64); could combine with `Action` for richer labels (e.g. `host_attribute-set`) but not required |
+| `event.type` / `event.category` | no | n/a | n/a — derived from action, not substitutes | no | Appended from `event.action` (L136–175); classification metadata, not action source |
+| `qualys_vmdr.asset_host_detection.vulnerability.status` | no | n/a | n/a — finding state (`Active`), not operation | no | Vendor-only (`default.yml` L1452–1457); `"Active"` in fixtures — not an audit verb |
+| `qualys_vmdr.asset_host_detection.vulnerability.type` | no | n/a | n/a — detection classification (`Confirmed`), not operation | no | Vendor-only (L1458–1463); describes finding certainty, not who did what |
+| (none applicable) | no | n/a | n/a | no | **knowledge_base** — reference record sync; no vendor action/operation field |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Qualys platform user (console/API operator) | user | — | high | Every `user_activity` event carries `User Name` / `User Role`; mapped to `user.name`, `user.roles` (`sample_event.json`, `test-yes-preserve-custom.log-expected.json`) | **user_activity** — actor across all observed modules (`auth`, `host_attribute`, `option`, `network`) |
+| Qualys platform user client IP | host | — | high | `User IP` → `source.ip` + `related.ip` (`user_activity/elasticsearch/ingest_pipeline/default.yml`; fixtures show `10.113.195.136`, `10.113.14.208`) | **user_activity** — network endpoint of the acting user, not the acted-upon asset |
+| Automated vulnerability scanner / agent | service | — | high | `qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source` (`"Cloud Agent"`), `vulnerability_detection_sources` (`"Cloud Agent"`, `"Internal Scanner"`) in `asset_host_detection/sample_event.json`, `test-asset-host-detection.log-expected.json` | **asset_host_detection** — detection mechanism, not a human principal; no `user.*` on findings |
+| KB customization author (metadata only) | user | — | moderate | `qualys_vmdr.knowledge_base.last.customization.user_login` (`"user_login"`) in `test-knowledge-base.log-expected.json` | **knowledge_base** — who last customized a QID record; not an auditable action event in this stream |
+
+**user_activity** has a human actor on every event. **asset_host_detection** and **knowledge_base** have no per-event human caller; treat scanner/agent identity as **service** where detection source is present.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name` | Actor — Qualys login name | yes | yes | high | `copy_from: qualys_vmdr.user_activity.User_Name` (`user_activity/.../default.yml` L69–72); `"john"`, `"saand_rn"` in fixtures |
+| `user.roles` | Actor — platform role | yes | yes | high | `append` from `User_Role` (L77–79); `"Reader"`, `"Manager"` in fixtures |
+| `source.ip` | Actor client endpoint | yes | yes | high | `convert` from `User_IP` → `source.ip` (L80–84); geoip enrichment follows |
+| `related.user` | Actor enrichment | yes | yes | high | `append` from `user.name` (L73–76) |
+| `related.ip` | Actor client enrichment | yes | yes | high | `append` from `source.ip` (L85–88) |
+| `qualys_vmdr.user_activity.User_Name` | Actor — vendor canonical | yes (vendor) | n/a | high | Retained when `preserve_duplicate_custom_fields` tag set (`sample_event.json`) |
+| `qualys_vmdr.user_activity.User_Role` | Actor role — vendor | yes (vendor) | n/a | high | Same |
+| `qualys_vmdr.user_activity.User_IP` | Actor IP — vendor | yes (vendor) | n/a | high | Same |
+| `qualys_vmdr.knowledge_base.last.customization.user_login` | KB editor (metadata) | yes (vendor) | partial | moderate | Vendor-only; not mapped to `user.*`; describes KB record editor, not an audit event actor |
+| `qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source` | Detection service | yes (vendor) | n/a | high | `"Cloud Agent"` in `sample_event.json`; not mapped to ECS actor fields |
+| `vulnerability.scanner.vendor` | Scanner product (observer context) | yes | partial | high | Static `Qualys` (`asset_host_detection/.../default.yml` L80–83); observer/scanner context, not the human actor |
+| `observer.vendor` | Observing product | yes | n/a | high | Static `Qualys VMDR` on **asset_host_detection** only |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | SaaS platform or API surface acted upon | Qualys VMDR / Qualys REST API | service | — | high | `auth` + `login`: `message: "user_logged in"`; `auth` + `request`: `message: "API: /api/2.0/fo/activity_log/index.php"` (`test-yes-preserve-custom.log-expected.json`) | **user_activity** only; no `cloud.service.name` or `service.name` set in pipeline |
+| 2 — Resource / object | Configuration object or asset subject of change | Scanned host (by IP), VMDR network, license scope | host / general | network (for `network` module) | high (when inferable) | `host_attribute` + `set`: `"comment=[vvv] for 11.11.11.4"`; `option` + `add`: `"11.11.11.4 added to both VM-PC license"`; `network` + `create`: `"New Network: 'abc'"` | **user_activity** — target only in free-text `message`; not structured ECS fields |
+| 2 — Resource / object | Scanned IT asset | Host / cloud workload | host | — | high | `host.id`, `host.name`, `host.ip`, `resource.id`, `resource.name`; cloud: `cloud.instance.id`, `cloud.service.name` (`"EC2"`) when `provider_cloud_data` tag set | **asset_host_detection** — inventory subject, not audit target |
+| 2 — Resource / object | Vulnerability definition (QID) | Qualys QID / CVE reference | general | vulnerability_definition | high | `event.id` / `qualys_vmdr.knowledge_base.qid` (`"11830"`, `"284008"`); `vulnerability.id` CVE list | **knowledge_base** — reference record, not an acted-upon runtime resource |
+| 3 — Content / artifact | Free-text audit detail or finding payload | Activity `Details` string; per-host detection instance | general | audit_detail / vuln_finding | high | `message` ← `Details` on **user_activity**; `event.id` ← `unique_vuln_id`, `vulnerability.qid` on **asset_host_detection** | Layer 3 is the only structured target ID on findings (`event.id`); audit stream relies on unparsed `message` |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `message` | 3 | general | audit_detail | yes | partial | context-only | yes | `copy_from: qualys_vmdr.user_activity.Details` (L65–68); embeds host IP, network name, API path — should parse to `host.target.*` / `service.target.*` where module permits |
+| `event.provider` | 2 | general | config_module | yes | yes | context-only | yes | `Module` → `event.provider` (`auth`, `host_attribute`, `option`, `network`); aids target inference but is not a target identity field |
+| `host.id` | 2 | host | — | yes | yes | host.target.id | yes | `json.ID` → `qualys_vmdr.asset_host_detection.id` → `host.id` + `resource.id` (`asset_host_detection/.../default.yml` L167–185); inventory subject, not audit acted-upon host |
+| `host.name` / `host.hostname` / `host.ip` | 2 | host | — | yes | yes | host.target.* | yes | DNS/FQDN/IP mapping (L138–356); `"adfssrvr.adfs.local"`, `"10.50.2.111"` in `sample_event.json` |
+| `resource.id` / `resource.name` | 2 | host | — | yes | yes | entity.target.id / host.target.name | yes | Copied from Qualys host ID and FQDN (L171–180) |
+| `cloud.service.name` | 1 | service | — | conditional | yes | service.target.name | yes | `CLOUD_SERVICE` → `cloud.service.name` when `provider_cloud_data` tag (L236–245); e.g. `"EC2"` — cloud workload type, not Qualys platform |
+| `cloud.instance.id` | 2 | host | — | conditional | yes | host.target.id (cloud) | yes | `cloud_resource_id` → `cloud.instance.id` (L225–234) |
+| `cloud.provider` | 1 | service | — | conditional | yes | context-only | no | `CLOUD_PROVIDER` lowercased → `cloud.provider` (L246–256) |
+| `event.id` | 3 | general | vuln_instance | yes | yes | entity.target.id | yes | `unique_vuln_id` → `event.id` on **asset_host_detection** (L1226–1235); detection instance ID |
+| `vulnerability.qid` / `qualys_vmdr.*.vulnerability.qid` | 2 | general | vulnerability | yes | yes | entity.target.id | yes | QID on detection; KB stream uses `event.id` ← `qid` |
+| `qualys_vmdr.asset_host_detection.ec2_instance_id` | 2 | host | — | yes (vendor) | n/a | host.target.id | yes | Vendor cloud instance ID; not copied to ECS when only vendor namespace retained |
+| `qualys_vmdr.user_activity.Details` | 3 | general | audit_detail | yes (vendor) | n/a | context-only | yes | Canonical target text for audit events; only duplicated to `message` |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | n/a | n/a | no | Not present in pipelines or fixtures; package absent from `destination_identity_hits.csv` |
+
+### Gaps and mapping notes
+
+- **`event.action` well mapped on audit stream:** **user_activity** copies vendor `Action` → `event.action` with correct semantics (`login`, `request`, `set`, `add`, `create`). No enhancement needed for action mapping on this stream.
+- **No `event.action` on inventory streams:** **asset_host_detection** and **knowledge_base** are finding/reference sync — vendor `vulnerability.status`/`type` (`Active`, `Confirmed`) describe finding state, not audit verbs; do not map to `event.action`.
+- **Audit target not structured:** **user_activity** records the acted-upon entity only in `Details` → `message`. Host IPs (`11.11.11.4`), network names (`'abc'`), and API paths are not parsed into `host.target.*`, `service.target.*`, or `entity.target.*`. Best enhancement source: grok/dissect on `message` keyed by `event.provider` + `event.action`.
+- **No ECS `*.target.*` today:** Aligns with `target_enhancement_packages.csv` (`priority=none`, all signal flags false) and no row in `target_fields_audit.csv` for this package.
+- **No `destination.*` de-facto targets:** Package not in `destination_identity_hits.csv`; no migration from `destination.user.*` / `destination.host.*` applicable.
+- **`source.ip` is actor client, not target:** `User IP` correctly maps to `source.ip` (actor workstation/VPN egress). Do not interpret as scanned-asset or platform target IP.
+- **`host.domain` ← NETBIOS on findings:** `host.domain` is populated from `NETBIOS` (`asset_host_detection/.../default.yml` L197–201), which is NetBIOS name semantics — acceptable for inventory but not equivalent to DNS domain; unrelated to audit actor/target.
+- **`cloud.service.name` on findings is workload type, not Qualys:** When `provider_cloud_data` tag is set, `cloud.service.name` reflects Qualys `CLOUD_SERVICE` (e.g. `"EC2"`) for the **scanned cloud asset**, not the Qualys VMDR SaaS platform invoked in **user_activity** auth events.
+- **Scanner vs actor on findings:** `vulnerability.scanner.vendor: Qualys` and `observer.vendor: Qualys VMDR` describe the observing product; automated `Cloud Agent` / `Internal Scanner` strings are detection-source **service** actors, not ECS-mapped principals.
+- **KB `user_login` is not audit actor:** `qualys_vmdr.knowledge_base.last.customization.user_login` is customization metadata on reference records; no corresponding `user.*` ECS mapping and no audit `event.action` — do not conflate with **user_activity** platform audit.
+
+### Per-stream notes
+
+#### user_activity
+
+True audit stream. Pipeline JSON-parses activity log rows, maps `Action` → `event.action`, `Module` → `event.provider`, platform user → `user.name` / `user.roles`, client IP → `source.ip`, and copies `Details` → `message`. Observed actions: `login`, `request` (auth/API), `set`, `add`, `create` (configuration). Target entity varies by `event.provider` and must be inferred from `message` text — auth events target Qualys VMDR (**service**); configuration modules target hosts (**host**) or VMDR networks (**general**). Pipeline removes incoming `cloud` and `host` fields (L127–131) — audit events never carry structured host targets.
+
+#### asset_host_detection
+
+Per-host vulnerability finding sync (`event.kind: alert`, `event.category: vulnerability`). Not an audit log; no per-event `event.action`. **Host** is the inventory subject (`host.*`, `resource.*`); **vulnerability** (`vulnerability.*`, `event.id`) is the finding on that host. Vendor `vulnerability.status`/`type` remain vendor-only. Optional cloud enrichment via `provider_cloud_data` tag populates `cloud.provider`, `cloud.service.name`, `cloud.instance.id`. Automated scanners appear as vendor detection-source strings only.
+
+#### knowledge_base
+
+Vulnerability reference catalog keyed by QID (`event.id`). Not an audit log and no meaningful per-event actor/target audit semantics or `event.action`. Each record describes a vulnerability definition (`vulnerability.id`, `vulnerability.category`, rich `qualys_vmdr.knowledge_base.*` tree). Optional `last.customization.user_login` indicates who last edited the KB entry, not a logged platform action in this stream.
+
+## Example Event Graph
+
+Examples below come from the **user_activity** audit stream (`qualys_vmdr.user_activity`), the only stream with true Actor → action → Target semantics. **asset_host_detection** and **knowledge_base** are vulnerability inventory and reference-catalog sync with no per-event `event.action`; those streams do not yield meaningful audit event graphs.
+
+### Example 1: Console login
+
+**Stream:** `qualys_vmdr.user_activity` · **Fixture:** `packages/qualys_vmdr/data_stream/user_activity/_dev/test/pipeline/test-yes-preserve-custom.log-expected.json`
+
+```
+saand_rn (user) → login → Qualys VMDR platform (service)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | saand_rn |
+| name | saand_rn |
+| type | user |
+| ip | 10.113.195.136 |
+
+**Field sources:**
+
+- `id` ← `user.name`
+- `name` ← `user.name`
+- `ip` ← `source.ip` (`qualys_vmdr.user_activity.User_IP`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | login |
+| source_field | `event.action` |
+| source_value | login |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Qualys VMDR platform |
+| type | service |
+
+**Field sources:**
+
+- `name` ← semantic — SaaS platform being authenticated to; **not indexed** in fixture (`cloud.service.name` absent; `message` only states `"user_logged in"`)
+- `type` ← inferred from `event.provider: auth` + `event.action: login`
+
+**Scope context (not target):** `message` / `qualys_vmdr.user_activity.Details` = `"user_logged in"` describes the auth outcome, not the platform identity.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: saand_rn"] --> E["login"]
+  E --> T["Target: Qualys VMDR platform"]
+```
+
+### Example 2: REST API request
+
+**Stream:** `qualys_vmdr.user_activity` · **Fixture:** `packages/qualys_vmdr/data_stream/user_activity/sample_event.json`
+
+```
+john (user) → request → /api/2.0/fo/activity_log/index.php (service)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | john |
+| name | john |
+| type | user |
+| ip | 10.113.195.136 |
+
+**Field sources:**
+
+- `id` ← `user.name`
+- `name` ← `user.name`
+- `ip` ← `source.ip` (`qualys_vmdr.user_activity.User_IP`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | request |
+| source_field | `event.action` |
+| source_value | request |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | API: /api/2.0/fo/activity_log/index.php |
+| type | service |
+
+**Field sources:**
+
+- `name` ← `message` (`qualys_vmdr.user_activity.Details`)
+- `type` ← inferred from `event.provider: auth` + API path in `message` — Qualys REST API endpoint; not mapped to `service.name` or `url.path` today
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: john"] --> E["request"]
+  E --> T["Target: /api/2.0/fo/activity_log/index.php"]
+```
+
+### Example 3: Host attribute update
+
+**Stream:** `qualys_vmdr.user_activity` · **Fixture:** `packages/qualys_vmdr/data_stream/user_activity/_dev/test/pipeline/test-yes-preserve-custom.log-expected.json`
+
+```
+saand_rn (user) → set → 11.11.11.4 (host)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | saand_rn |
+| name | saand_rn |
+| type | user |
+| ip | 10.113.14.208 |
+
+**Field sources:**
+
+- `id` ← `user.name`
+- `name` ← `user.name`
+- `ip` ← `source.ip` (`qualys_vmdr.user_activity.User_IP`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | set |
+| source_field | `event.action` |
+| source_value | set |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| ip | 11.11.11.4 |
+| name | comment=[vvv] for 11.11.11.4 |
+| type | host |
+
+**Field sources:**
+
+- `ip` ← embedded in `message` (`qualys_vmdr.user_activity.Details`: `"comment=[vvv] for 11.11.11.4"`) — not parsed into `host.target.ip` or `host.ip` today
+- `name` ← `message`
+- `type` ← inferred from `event.provider: host_attribute` + host IP in `message`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: saand_rn"] --> E["set"]
+  E --> T["Target: 11.11.11.4"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, three `data_stream/` directories with Tier A fixtures and ingest pipelines). Router: **`data_stream.dataset`** (`qualys_vmdr.user_activity`, `qualys_vmdr.asset_host_detection`, `qualys_vmdr.knowledge_base` per `manifest.yml`). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`) — valid **5-arg** / **7-arg** / **9-arg** `CASE` only — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` and never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a boolean condition). **`qualys_vmdr.user_activity`** gets full audit actor/target enrichment with secondary routing on **`event.action`** — on **`login`**, map **`service.target.name`** `"Qualys VMDR"` (Pass 3 platform target), not self-referential `user.name`; on **`request`**, promote API path from **`message`**. **`qualys_vmdr.asset_host_detection`** lifts inventory host + vuln instance into `host.target.*` / `entity.target.id` and detection source into `service.name` when ECS tiers are empty. **`destination.user.*` / `destination.host.*`:** not present in pipelines or fixtures (package absent from `destination_identity_hits.csv`) — no de-facto target migration.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `qualys_vmdr.user_activity` | audit | user, host (client IP) | service, host (unparsed in message) | full |
+| `qualys_vmdr.asset_host_detection` | vulnerability inventory | service (detection source) | host, general (vuln instance) | partial |
+| `qualys_vmdr.knowledge_base` | reference catalog | user (metadata only) | general (QID definition) | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.name` | `data_stream.dataset == "qualys_vmdr.user_activity" AND user.name IS NOT NULL` | high | **column-level preserve** + **vendor fallback** — not `CASE(actor_exists, user.id, …)` (`user.name` can set `actor_exists` while `user.id` is empty) |
+| `user.name` | — | `data_stream.dataset == "qualys_vmdr.user_activity"` | high | **ingest-only — no ES|QL** — pipeline maps `User_Name` → `user.name`; no alternate query-time source |
+| `host.ip` | `source.ip` | `data_stream.dataset == "qualys_vmdr.user_activity" AND source.ip IS NOT NULL` | high | **column-level preserve** + **fallback** — actor client (`User_IP` → `source.ip`); not scanned asset |
+| `service.name` | `qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source` | `data_stream.dataset == "qualys_vmdr.asset_host_detection" AND qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source IS NOT NULL` | medium | **column-level preserve** + **vendor fallback**; e.g. `"Cloud Agent"` — detection mechanism, not human principal |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `"Qualys VMDR"` | `data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login"` | low | **semantic literal**; fallback only when `NOT target_exists` |
+| `service.target.name` | `message` | `data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request" AND message IS NOT NULL` | high | **column-level preserve** + **fallback** — API path from `Details` (fixture: `/api/2.0/fo/activity_log/index.php`) |
+| `host.target.id` | `host.id` | `data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.id IS NOT NULL` | high | **column-level preserve** + **fallback** — inventory subject; not audit acted-upon host |
+| `host.target.name` | `host.name` | `data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.name IS NOT NULL` | high | **column-level preserve** + **fallback** |
+| `host.target.ip` | `host.ip` | `data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.ip IS NOT NULL` | high | **column-level preserve** + **fallback**; `host.ip` may be multivalue in fixtures |
+| `entity.target.id` | `event.id` | `data_stream.dataset == "qualys_vmdr.asset_host_detection" AND event.id IS NOT NULL` | high | **column-level preserve** + **fallback** — `unique_vuln_id` detection instance |
+
+`actor_exists` uses `user.name` and `source.ip` (not `user.id`) because ingest maps Qualys `User_Name` → `user.name` only. **Actor/target `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`, not `CASE(actor_exists|target_exists, <col>, …)`) so a populated `user.name` does not block `user.id` ← `user.name` or `host.ip` ← `source.ip`, and one populated `host.target.id` does not block sibling `host.target.name` / `entity.target.id` fallbacks (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.id IS NOT NULL, user.id, user.name, null)` (4 args — `user.name` is a **condition**, not a value). Wrong: `CASE(actor_exists, user.id, user.name, null)` (same). Right: **5-arg** `CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "qualys_vmdr.user_activity" AND user.name IS NOT NULL, user.name, null)`.
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.name IS NOT NULL OR user.roles IS NOT NULL
+    OR source.ip IS NOT NULL
+    OR service.name IS NOT NULL OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers (when needed)
+
+Set in **fallback** only when `entity.target.type` is empty:
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login", "service",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request", "service",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.provider == "host_attribute", "host",
+    data_stream.dataset == "qualys_vmdr.asset_host_detection", "host",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND user.name IS NOT NULL, user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source IS NOT NULL, qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+Omitted — **`qualys_vmdr.user_activity`** always sets `event.action` from vendor `Action` at ingest (`user_activity/.../default.yml` L57–60). No `event.action` on **`asset_host_detection`** or **`knowledge_base`** (inventory/reference sync).
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login", "Qualys VMDR",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request" AND message IS NOT NULL, message,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.id IS NOT NULL, host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.ip IS NOT NULL, host.ip,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "qualys_vmdr.asset_host_detection" AND event.id IS NOT NULL, event.id,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.name IS NOT NULL OR user.roles IS NOT NULL OR source.ip IS NOT NULL
+    OR service.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "qualys_vmdr.user_activity" AND user.name IS NOT NULL, user.name, null),
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "qualys_vmdr.user_activity" AND source.ip IS NOT NULL, source.ip, null),
+  service.name = CASE(service.name IS NOT NULL, service.name, data_stream.dataset == "qualys_vmdr.asset_host_detection" AND qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source IS NOT NULL, qualys_vmdr.asset_host_detection.vulnerability.latest_vulnerability_detection_source, null)
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "login", "Qualys VMDR",
+    data_stream.dataset == "qualys_vmdr.user_activity" AND event.action == "request" AND message IS NOT NULL, message,
+    null
+  ),
+  host.target.id = CASE(host.target.id IS NOT NULL, host.target.id, data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.id IS NOT NULL, host.id, null),
+  host.target.name = CASE(host.target.name IS NOT NULL, host.target.name, data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.name IS NOT NULL, host.name, null),
+  host.target.ip = CASE(host.target.ip IS NOT NULL, host.target.ip, data_stream.dataset == "qualys_vmdr.asset_host_detection" AND host.ip IS NOT NULL, host.ip, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset == "qualys_vmdr.asset_host_detection" AND event.id IS NOT NULL, event.id, null)
+| KEEP @timestamp, data_stream.dataset, event.action, event.provider, user.id, user.name, host.ip, service.target.name, host.target.id, entity.target.id, message
+```
+
+### Streams excluded
+
+- **`qualys_vmdr.knowledge_base`** — QID reference-catalog sync; no per-event `event.action`, no audit actor/target chain; `qualys_vmdr.knowledge_base.last.customization.user_login` is KB metadata only.
+
+### Gaps and limitations
+
+- **`user.name`** — **ingest-only**; omit from actor `EVAL` (no tautological `CASE(actor_exists, user.name, …, user.name, null)`).
+- **`event.action` fallback** — not needed on **user_activity**; ingest always maps `Action` → `event.action`. Inventory streams have no action candidates.
+- **`user.email` / `user.domain`** — not indexed; mark **gap — not extractable** unless future pipeline adds email.
+- **Host/network targets on `user_activity`** — host IPs (`11.11.11.4`) and network names (`'abc'`) exist only in unparsed `message`/`Details`; omit `host.target.*` / `entity.target.*` at query time — prefer ingest grok keyed by `event.provider` + `event.action` (Pass 2 enhancement).
+- **`set` / `add` / `create` configuration targets** — free-text `message` only; `entity.target.type` may classify as `host` for `host_attribute` but no reliable `host.target.ip` without ingest parsing.
+- **`source.ip` is actor client** — maps to `host.ip` in actor fallback only; never to `host.target.ip` on audit events.
+- **`cloud.service.name` on findings** — reflects scanned cloud workload type (e.g. EC2), not Qualys VMDR platform on **user_activity** login.
+- **Pass 2 enhancement alignment** — structured `host.target.*` / `entity.target.*` from `Details` at ingest remains preferred; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 CASE syntax** — column-level `IS NOT NULL` preserve on all mapped columns; odd-arity defaults (`null`); no `CASE(actor_exists|target_exists, <col>, …)`; vendor fallbacks guarded with `IS NOT NULL` on source fields; full pipeline fragment aligned with combined `EVAL` blocks (includes `host.target.ip`). Detection flags are helpers only.
+- **Unscoped `FROM logs-*`** — dataset routing lives in `CASE` fallback conditions (`data_stream.dataset == …`), not a top-level `WHERE`.
diff --git a/dev/domain/p1/salesforce.md b/dev/domain/p1/salesforce.md
new file mode 100644
index 00000000000..b609d92d24f
--- /dev/null
+++ b/dev/domain/p1/salesforce.md
@@ -0,0 +1,523 @@
+# salesforce
+
+## Product Domain (Salesforce CRM SaaS)
+
+Salesforce is a cloud-based customer relationship management (CRM) platform delivered as SaaS. Organizations use it to manage sales pipelines, marketing campaigns, customer service cases, commerce operations, and IT workflows from a unified, multi-tenant environment accessible via web UI, mobile apps, and APIs. The platform is structured around orgs (tenants), users with profiles and permission sets, standard and custom objects, and an extensible application layer built on Apex (Salesforce's proprietary programming language) and declarative automation.
+
+At its core, Salesforce functions as a system of record for customer and business data, with deep customization through metadata configuration in Setup (security settings, connected apps, permission sets, workflows, and integrations). Developers extend the platform with Apex classes, triggers, REST/SOAP APIs, and external callouts. Real-Time Event Monitoring and EventLogFile provide audit and performance telemetry for authentication, application execution, and administrative changes—critical surfaces for security and operational visibility.
+
+From a security and compliance perspective, Salesforce generates structured logs for user authentication (login and logout), Apex execution (callouts, triggers, REST/SOAP API usage), and Setup changes (SetupAuditTrail). These events capture user identity, session context, client IP, API version, TLS details, transaction security policy outcomes, and configuration change descriptions. Security teams monitor Salesforce orgs to detect unauthorized access, anomalous login patterns, privileged Setup modifications, and application performance or abuse.
+
+The Elastic Salesforce integration ingests these logs via Elastic Agent using the Salesforce input, querying the REST API with SOQL over EventLogFile, Real-Time Event Monitoring platform events (`LoginEvent`, `LogoutEvent`), and the `SetupAuditTrail` object. OAuth 2.0 authentication is supported through a Connected App using JWT bearer or Username-Password flows. Collection is interval-based with cursors for deduplication and optional historical backfill. Events are normalized into ECS-aligned fields for SIEM correlation, authentication monitoring, audit trail analysis, and Apex performance observability.
+
+## Data Collected (brief)
+
+- **Login events** (`salesforce.login`): User authentication activity from EventLogFile or `LoginEvent` platform events, including username, user ID, login status, client IP, browser/user agent, TLS cipher and protocol, API type/version, login key, session context, transaction security policy evaluation, and request timing metrics.
+- **Logout events** (`salesforce.logout`): User session termination from EventLogFile or `LogoutEvent` platform events, including user ID, login key, session type/level, client IP, platform and application type, user-initiated vs timeout logout, and API metadata.
+- **Apex events** (`salesforce.apex`): Apex execution telemetry from EventLogFile, covering event types such as `ApexCallout`, `ApexExecution`, `ApexRestApi`, `ApexSoap`, `ApexTrigger`, and `ExternalCustomApexCallout`, with CPU/run time, SOQL query details, trigger/class names, HTTP method and URL for callouts, request/response sizes, and user/org identifiers.
+- **Setup audit trail** (`salesforce.setupaudittrail`): Administrative changes in the org Setup area (up to 180 days), including action type, section (e.g., Manage Users, Connected Apps), display description, created-by user/context, and delegate user for Login-As actions.
+
+## Expected Audit Log Entities
+
+The integration has four data streams with mixed audit semantics. **`salesforce.setupaudittrail`** is a true administrative audit log (Setup changes, up to 180 days). **`salesforce.login`** and **`salesforce.logout`** are authentication audit-adjacent events from Real-Time Event Monitoring (`LoginEvent`/`LogoutEvent` Object API) or EventLogFile CSV. **`salesforce.apex`** is Apex execution telemetry (callouts, triggers, REST/SOAP) — performance and API-usage observability rather than IAM configuration audit. No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated; no `destination.user.*` / `destination.host.*` in any pipeline (`destination_identity_hits.csv` has no salesforce row). The target-fields audit classifies salesforce as **`none`** with all heuristic flags false (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+Evidence: `packages/salesforce/data_stream/{setupaudittrail,login,logout,apex}/sample_event.json`, `_dev/test/pipeline/*-expected.json`, `elasticsearch/ingest_pipeline/*.yml`, `fields/fields.yml`.
+
+**Event action:** `event.action` is populated on **all four streams**. **`setupaudittrail`** copies vendor-native Setup action names (`insertConnectedApplication`, `changedUserEmailVerifiedStatusVerified`) from `Action`. **`login`** and **`logout`** use static pipeline values (`login-attempt`, `logout`) rather than vendor `EVENT_TYPE` (`Login`, `Logout`). **`apex`** normalizes `EVENT_TYPE` to slug labels (`apex-callout`, `apex-trigger`, `apex-execution`, `apex-rest`, `apex-soap`, `apex-external-custom-callout`); vendor `salesforce.apex.action` (e.g. `query` on ExternalCustomApexCallout) is retained but not copied to `event.action`.
+
+### Event action (semantic)
+
+Salesforce events carry action at two levels: (1) **stream-level operation** — what class of activity occurred (login, logout, Setup change, Apex callout); (2) **Setup-specific admin action** or **Apex sub-operation** — granular vendor action on setupaudittrail (`Action`) or external callout query type (`salesforce.apex.action`). Level (1) maps to `event.action` on all streams today; level (2) is vendor-only except on setupaudittrail where vendor `Action` *is* `event.action`.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `insertConnectedApplication` | administration | high | `event.action: "insertConnectedApplication"` in `setupaudittrail/sample_event.json` and `test-setupaudittrail.log-expected.json` | **`setupaudittrail`** — connected app creation in Setup |
+| `changedUserEmailVerifiedStatusVerified` | administration | high | `event.action: "changedUserEmailVerifiedStatusVerified"` in `test-setupaudittrail.log-expected.json` | **`setupaudittrail`** — user email verification status change |
+| `login-attempt` | authentication | high | Static pipeline value; all login fixtures (`test-login-eventlogfile.log-expected.json`, `test-login-object.log-expected.json`, `login/sample_event.json`) | **`login`** — Object and EventLogFile; outcome in `event.outcome`, not action |
+| `logout` | authentication | high | Static pipeline value; `logout/sample_event.json`, `test-logout-eventlogfile.log-expected.json`, `test-logout-object.log-expected.json` | **`logout`** — Object and EventLogFile |
+| `apex-callout` | api_call | high | `EVENT_TYPE: ApexCallout` → `event.action: "apex-callout"` in `apex/sample_event.json`, `test-apex.log-expected.json` | **`apex`** — outbound HTTP callout |
+| `apex-execution` | api_call | high | `EVENT_TYPE: ApexExecution` → `event.action: "apex-execution"` in `test-apex.log-expected.json` | **`apex`** — Apex code execution |
+| `apex-trigger` | api_call | high | `EVENT_TYPE: ApexTrigger` → `event.action: "apex-trigger"` in `test-apex.log-expected.json` | **`apex`** — trigger firing |
+| `apex-rest` | api_call | high | `EVENT_TYPE: ApexRestApi` → `event.action: "apex-rest"` in `test-apex.log-expected.json` | **`apex`** — Apex REST API |
+| `apex-soap` | api_call | high | `EVENT_TYPE: ApexSoap` → `event.action: "apex-soap"` in `test-apex.log-expected.json` | **`apex`** — Apex SOAP API |
+| `apex-external-custom-callout` | api_call | high | `EVENT_TYPE: ExternalCustomApexCallout` → `event.action: "apex-external-custom-callout"` in `test-apex.log-expected.json` | **`apex`** — external custom connector callout |
+| `query` (Apex sub-action) | data_access | high | `salesforce.apex.action: "query"` in ExternalCustomApexCallout fixture; **not** mapped to `event.action` | **`apex`** — sub-operation within external callout |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `Action` → `event.action` | yes | yes | `insertConnectedApplication`, `changedUserEmailVerifiedStatusVerified` | no | `setupaudittrail/default.yml` L88–91: rename `json.Action`; both values in `test-setupaudittrail.log-expected.json` |
+| Static `login-attempt` | yes | partial | `login-attempt` (normalized); vendor `Login` in `salesforce.login.event_type` unused | partial — consider appending vendor `LoginType` or `Status` for failed-login distinction | `login/default.yml` L43–45: static set after sub-pipelines; vendor `EVENT_TYPE: Login` in ELF fixtures only |
+| `salesforce.login.event_type` | no | n/a | `Login` | yes — alternate if static label removed | ELF pipeline `eventlogfile.yml` L94–96; `login/sample_event.json` |
+| `salesforce.login.type` / `json.LoginType` | no | n/a | varies by Object login | yes — enrich static action with login channel (UI, API, SSO) | Object pipeline `object.yml` L54–57; not in ELF fixtures |
+| Static `logout` | yes | partial | `logout` (normalized); vendor `Logout` in `salesforce.logout.event_type` unused | partial — static label is semantically correct | `logout/default.yml` L43–45 |
+| `salesforce.logout.event_type` | no | n/a | `Logout` | yes — alternate if static label removed | ELF pipeline `eventlogfile.yml` L51–53; `logout/sample_event.json` |
+| `salesforce.apex.event_type` → `event.action` | yes | yes | `apex-callout`, `apex-execution`, `apex-trigger`, `apex-rest`, `apex-soap`, `apex-external-custom-callout` | no | `apex/default.yml` L174–191: painless map from lowercased `event_type` |
+| `salesforce.apex.action` | no | n/a | `query` (ExternalCustomApexCallout fixture) | yes — sub-action for external callouts; could append to `event.action` or use `event.type` | Painless rename `ACTION` → `salesforce.apex.action` L79–114; fixture in `test-apex.log-expected.json` |
+| `http.request.method` | no | n/a | `GET` (ApexCallout fixtures) | no — HTTP method is callout context, not Apex event class | `apex/default.yml` L261–264; paired with `event.action: apex-callout` |
+| `event.type`, `event.category` | partial | yes | `event.type: ["admin"]` (setupaudittrail); `["authentication"]` category on login/logout; `["network"]` on apex callouts | no | Complements but does not replace `event.action`; distinct semantics per ECS Event field set |
+
+**Per-stream action summary (Step 2b):**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `salesforce.setupaudittrail` | yes | yes | `Action` → `event.action` | high | `insertConnectedApplication`, `changedUserEmailVerifiedStatusVerified` in sample + expected fixtures |
+| `salesforce.login` (Object + EventLogFile) | yes | yes (static) | static `login-attempt` | high | All login fixtures; vendor `EVENT_TYPE`/`LoginType` not used for action |
+| `salesforce.logout` (Object + EventLogFile) | yes | yes (static) | static `logout` | high | All logout fixtures; vendor `EVENT_TYPE: Logout` retained vendor-only |
+| `salesforce.apex` | yes | yes | `salesforce.apex.event_type` → normalized slug | high | Six event types mapped in `default.yml` L179–185; all present in `test-apex.log-expected.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Setup change author | user | — | high | `CreatedById` → `salesforce.setup_audit_trail.created_by_id` + `user.id`; fixtures: `0055j000000utlPAAQ`, `1234j000000q9s7ABC` | **`setupaudittrail`** — canonical admin actor for Setup changes |
+| Login-As delegate | user | — | high | `DelegateUser` → `salesforce.setup_audit_trail.delegate_user`; fixture: `user1` on `insertConnectedApplication` | **`setupaudittrail`** — admin acting via Login-As; vendor-only, not mapped to ECS `user.*` |
+| Automated / platform actor context | service | — | medium | `CreatedByContext` → `salesforce.setup_audit_trail.created_by_context`; fixture: `Einstein` | **`setupaudittrail`** — cloud-to-cloud or platform automation; supplementary to `created_by_id` |
+| Managed-package actor | service | — | low | `ResponsibleNamespacePrefix` → `salesforce.setup_audit_trail.responsible_namespace_prefix`; field defined, null in fixtures | **`setupaudittrail`** — installed package namespace that initiated the change |
+| Authenticating user | user | — | high | `UserId`/`USER_ID_DERIVED` → `user.id`; `Username`/`USER_NAME` → `user.email`; `UserType`/`USER_TYPE` → `user.roles`; fixtures: `user.name@email.com`, `salesforceinstance@devtest.in` | **`login`**, **`logout`** — primary actor from Object platform events and EventLogFile |
+| SSO / IdP context | general | identity provider | medium | `AuthServiceId` → `salesforce.login.auth.service_id`; `AuthMethodReference` → `salesforce.login.auth.method_reference` | **`login`** (Object only) — third-party SSO metadata; vendor-only |
+| Client source IP | host | — | high | `SourceIp`/`CLIENT_IP`/`SOURCE_IP` → `source.ip` (+ geo); `salesforce.login.client.ip` on EventLogFile login; `related.ip` on login/apex | **`login`**, **`logout`**, **`apex`** — network origin, not a Salesforce identity |
+| Client user agent / platform | host | — | high | Object: `Browser`/`Platform` → `user_agent.*`; EventLogFile login: `BROWSER_TYPE` → full UA parse; logout ELF: `browser_type`/`platform_type` vendor-only | **`login`**, **`logout`** — client environment context |
+| Apex execution user | user | — | high | `USER_ID` → `user.id`; `USER_ID_DERIVED` → `salesforce.apex.user_id_derived` (vendor-only); fixtures: `0055j000000utlP`, `0055j000000PQ01` | **`apex`** — Salesforce user whose session triggered Apex execution |
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Setup author or auth/Apex session user | yes | partial | high | setupaudittrail: `copy_from` `created_by_id` (`default.yml` L120–124); login/logout: `UserId`/`USER_ID_DERIVED` rename; apex: `USER_ID` rename — on setupaudittrail, `user.id` is always the author even when display text names a different affected user |
+| `user.email` / `user.name` / `user.domain` | Auth user email or dissected display identity | yes | partial | high | login/logout: `Username`/`USER_NAME` → `user.email` (correct actor); setupaudittrail: dissect of `display` `For user %{user.name}, …` overwrites into `user.email`/`user.name`/`user.domain` (L125–140) — semantically the **target user** on Manage Users actions, not the author |
+| `user.roles` | Salesforce user type | yes | yes | high | login Object: append `UserType`; login ELF: set from `USER_TYPE`; apex: append `USER_TYPE`; logout ELF: `salesforce.logout.user.roles` only (not ECS `user.roles`) |
+| `related.user` | Identity enrichment bag | yes | partial | high | setupaudittrail: appends `user.id`, `user.name`, `user.email` (L141–158) — mixes author ID with target email/name when display pattern matches |
+| `source.ip` / `source.geo` | Client network origin | yes | yes | high | login Object: `SourceIp` convert + geo from LoginGeo fields; login ELF: `SOURCE_IP` (skips `Salesforce.com IP`); logout/apex: `CLIENT_IP` with same skip rule |
+| `user_agent.*` | Client browser/OS | partial | yes | high | login Object: `Browser`/`Platform` → `user_agent.name`/`user_agent.os.name`; login ELF: `user_agent` processor on `BROWSER_TYPE` |
+| `salesforce.setup_audit_trail.delegate_user` | Login-As delegate actor | no (vendor-only) | n/a | high | `DelegateUser` rename; fixture `user1`; should map to secondary actor, not target |
+| `salesforce.setup_audit_trail.created_by_context` | Automation/service context | no (vendor-only) | n/a | medium | `CreatedByContext`; fixture `Einstein` |
+| `salesforce.setup_audit_trail.created_by_issuer` | Reserved issuer identity | no (vendor-only) | n/a | low | Defined in fields.yml; null in fixtures |
+| `salesforce.login.auth.service_id` / `.method_reference` | SSO IdP reference | no (vendor-only) | n/a | medium | Object login pipeline; ELF maps `AUTHENTICATION_METHOD_REFERENCE` to `auth.service_id` only |
+| `salesforce.apex.user_id_derived` | Derived session user ID | no (vendor-only) | n/a | high | Painless rename in apex pipeline; often differs from `user.id` (`USER_ID`) in same event |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Salesforce CRM SaaS org being accessed or configured | Salesforce CRM | service | — | medium | No `cloud.service.name` or `cloud.provider` in pipeline; platform inferred from integration context and `event.module: salesforce` | All streams operate within a Salesforce org tenant |
+| 2 — Resource / object | Setup entity, org tenant, connected app, Apex artifact, or external endpoint | Setup config, org, connected app, Apex class/trigger, SObject | varies | setup_entity, org, connected_app, apex_artifact, sobject | high | setupaudittrail: `event.action` + `section` + `display`; login: `salesforce.login.application`, `organization_id`; apex: `class_name`, `trigger_name`, `entity_name`, `event.url` | Primary audit targets; mostly vendor-namespaced |
+| 3 — Content / artifact | Session handles, policy outcomes, callout request/response metadata | login key, transaction-security policy, HTTP callout | general | session, policy, api_request | medium | `salesforce.login.key`, `salesforce.login.transaction_security.*`, `http.request.*`/`http.response.*` on apex callouts | Correlation and payload context, not durable identity |
+
+**Layer 2 detail by stream:**
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Setup configuration object | general | setup_entity | high | `Action` → `event.action` (`insertConnectedApplication`, `changedUserEmailVerifiedStatusVerified`); `Section` → `salesforce.setup_audit_trail.section`; `Display` → `salesforce.setup_audit_trail.display` | **`setupaudittrail`** — target type implied by action + section + display text; no separate target ID |
+| Affected Salesforce user | user | — | medium | Display `For user {email}, …` dissected into `user.email`/`user.name`; fixtures: `user@elastic.co`, `abc.def@mail.com` | **`setupaudittrail`** — Manage Users actions; conflated into ECS `user.*` (see gaps) |
+| Salesforce organization (tenant) | general | org | high | `ORGANIZATION_ID` → `salesforce.{login,logout,apex}.organization_id`; fixture: `00D5j000000VI3n` | **`login`**, **`logout`**, **`apex`** (EventLogFile) — org scope, not Setup object |
+| Login endpoint / My Domain | general | URL | high | Object: `LoginUrl` → `event.url` (`login.salesforce.com`, custom My Domain); ELF: `URI` → `event.url` (`/index.jsp`) | **`login`** — authentication entry point |
+| Connected application | general | connected_app | medium | `Application` → `salesforce.login.application`; fixtures: `elastic integration`, `testing_salesforce` | **`login`** (Object only) — OAuth connected app used for login |
+| External HTTP endpoint (Apex callout) | general | URL | high | `URL` → `event.url`; fixture: `https://temp.website.here.sh/odata/Random`; `METHOD` → `http.request.method` | **`apex`** (`ApexCallout`, `ExternalCustomApexCallout`) |
+| Apex class / trigger / SObject | general | apex_artifact / sobject | medium | `salesforce.apex.class_name` (`ContactResource`), `trigger_name` (`HelloWorldTrigger`), `entity_name` (`Book__c`, `HealthcareBlog`) | **`apex`** — varies by `event.action` |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `event.action` | 2 | general | yes | yes (action context) | context-only | no | setupaudittrail: `Action` rename (`insertConnectedApplication`, …); apex: derived from `event_type` (`apex-callout`, `apex-trigger`, …); login/logout: static `login-attempt`/`logout` |
+| `salesforce.setup_audit_trail.section` | 2 | general | no | n/a | `entity.target.type` (Setup section) | yes | `Connected Apps`, `Manage Users` in fixtures |
+| `salesforce.setup_audit_trail.display` | 2 | general | no | n/a | `entity.target.description` | yes | Full human-readable change description; canonical Setup target narrative |
+| `user.email` / `user.name` (from display dissect) | 2 | user | yes | no | `user.target.email` / `user.target.name` | yes | setupaudittrail pipeline L125–140: parses **affected user** from display text but writes to actor ECS fields; fixture author `0055j000000utlPAAQ` vs target email `user@elastic.co` |
+| `salesforce.setup_audit_trail.delegate_user` | 2 | user | no | n/a | `user.target.name` (Login-As subject) or secondary actor | partial | yes | Fixture `user1` on connected-app insert — delegate is actor proxy, not target |
+| `salesforce.login.organization_id` | 2 | general | partial | yes | context-only (tenant scope) | no | ELF login fixture `00D5j000000VI3n`; org being authenticated into |
+| `salesforce.logout.organization_id` | 2 | general | partial | yes | context-only (tenant scope) | no | ELF logout pipeline only |
+| `salesforce.apex.organization_id` | 2 | general | no | n/a | context-only (tenant scope) | no | All apex fixtures |
+| `event.url` | 2 | general | partial | yes | context-only / `entity.target.reference` | partial | login: login host or URI path; apex callout: external URL; apex execution: internal URI (`/home/home.jsp`, `APEXSOAP`) |
+| `salesforce.login.application` | 2 | general | partial | yes | `service.target.entity.name` (connected app) | yes | Object login fixtures: `elastic integration`, `testing_salesforce` |
+| `salesforce.login.key` / `.history_id` / `.geo_id` | 3 | general | partial | yes | context-only | no | Session correlation handles on login |
+| `salesforce.login.transaction_security.policy.id` / `.outcome` | 3 | general | no | n/a | context-only | no | Defined in fields.yml; null in fixtures |
+| `salesforce.apex.class_name` / `.method_name` | 2 | general | no | n/a | `service.target.entity.name` | yes | ApexSoap fixture: `ContactResource` / `getContactIdAndNames` |
+| `salesforce.apex.trigger_name` / `.trigger_id` | 2 | general | no | n/a | `service.target.entity.id` | yes | ApexTrigger fixture: `HelloWorldTrigger` / `01q5j000000ClvF` |
+| `salesforce.apex.entity` / `.entity_name` | 2 | general | no | n/a | `entity.target.name` | yes | `HealthcareBlog`, `Book__c` in fixtures |
+| `http.request.method` / `.bytes`, `http.response.*` | 3 | general | partial | yes | context-only | no | Apex callout/REST fixtures |
+
+No `cloud.service.name`, `cloud.provider`, or `destination.user.*` / `destination.host.*` candidates exist in this package.
+
+### Gaps and mapping notes
+
+- **`event.action` gaps on login/logout:** Static `login-attempt` / `logout` labels are semantically correct but discard vendor `EVENT_TYPE` (`Login`, `Logout`) and Object `LoginType`. Enhancement: enrich with `salesforce.login.type` or map vendor event type as secondary context; distinguish failed vs successful login via `event.outcome` (already set) rather than action label.
+- **`salesforce.apex.action` not promoted:** ExternalCustomApexCallout events carry sub-operation `query` in vendor field but `event.action` stays at event-class level (`apex-external-custom-callout`). Enhancement: append sub-action or map to `event.type`.
+- **No ECS `*.target.*` today** — Setup targets stay in `salesforce.setup_audit_trail.*`; Apex targets in `salesforce.apex.*`; login targets mostly vendor-only. Enhancement: map display-dissected identity to `user.target.*`, connected apps to `service.target.entity.name`, Apex artifacts to `entity.target.*` / `service.target.*`.
+- **No `destination.user.*` / `destination.host.*`** — unlike email/auth integrations, Salesforce does not use destination fields as de-facto targets; target identity is vendor-only or mis-mapped into `user.*`.
+- **Actor/target conflation on setupaudittrail** — pipeline sets `user.id` from `created_by_id` (author) then dissects `display` into `user.email`/`user.name` (often the **affected user**). Fixture `insertConnectedApplication`: author `0055j000000utlPAAQ` but `user.email=user@elastic.co` is the verification target (`Mapping correct?`: no for `user.email`/`user.name` on this stream).
+- **`related.user` mixes actor and target** — appends author `user.id` plus dissected target `user.name`/`user.email` without distinction.
+- **`salesforce.setup_audit_trail.delegate_user` unmapped** — Login-As delegate is vendor-only; should enrich actor model (`user.*` secondary or dedicated field), not target.
+- **Login actor/target overlap** — on successful self-login, the same `user.*` describes principal and implicit org target; no separate target user field. Failed logins still populate actor from `UserId`/`Username`.
+- **Logout Object stream gaps** — `user.email`/`user.id` mapped but `user.roles` not populated (ELF stores roles under `salesforce.logout.user.roles` only).
+- **Apex is telemetry, not IAM audit** — actor is session user; targets are execution artifacts (URL, class, trigger, SObject). `USER_ID` vs `user_id_derived` divergence is vendor-only for the derived ID.
+- **Target-fields audit alignment** — classified `none` with all heuristic flags false despite clear `user.*` actor mappings and rich vendor target fields; audit CSV understates setupaudittrail actor/target split and login connected-app targets.
+
+### Per-stream notes
+
+#### `salesforce.setupaudittrail`
+
+True admin audit from `SetupAuditTrail` SOQL. **Action:** vendor `Action` → `event.action` with native Setup operation names (`insertConnectedApplication`, `changedUserEmailVerifiedStatusVerified`). Actor: `created_by_id` → `user.id`. Supplementary actor context: `delegate_user`, `created_by_context`, `responsible_namespace_prefix` (vendor-only). Target: `event.action` + `section` + `display` text; affected users parsed from display pattern into ECS `user.email`/`user.name` (mis-mapped). Event type `admin`.
+
+#### `salesforce.login`
+
+Authentication events from Object (`LoginEvent`) or EventLogFile CSV. **Action:** static `event.action: login-attempt`; vendor `salesforce.login.event_type: Login` (ELF) and `salesforce.login.type` (Object) not used for action; `event.outcome` captures success/failure. Dual pipeline routing via `event.provider`. Actor: `user.id`, `user.email`, `user.roles`, `source.ip`, `user_agent.*`. Target Layer 2: org (`organization_id`), login URL (`event.url`), connected app (`salesforce.login.application`, Object only). Layer 3: session keys, transaction-security policy fields.
+
+#### `salesforce.logout`
+
+Session termination; mirrors login actor semantics on Object source (`user.id`, `user.email`, `source.ip`). **Action:** static `event.action: logout`; vendor `salesforce.logout.event_type: Logout` retained but not copied. EventLogFile adds org ID, session type/level, platform/browser metadata (mostly vendor-only). No separate target beyond org scope.
+
+#### `salesforce.apex`
+
+Apex execution telemetry from EventLogFile (`ApexCallout`, `ApexExecution`, `ApexTrigger`, `ApexRestApi`, `ApexSoap`, `ExternalCustomApexCallout`). **Action:** `salesforce.apex.event_type` normalized to slug (`apex-callout`, `apex-trigger`, etc.); sub-operation `salesforce.apex.action` (e.g. `query`) vendor-only. Actor: `user.id` from `USER_ID`. Target varies by event type: external URL for callouts, class/trigger/SObject for code events, internal URI for execution/REST/SOAP. Performance metrics (`run_time`, `cpu_time`, SOQL counts) are observability dimensions, not audit targets.
+
+## Example Event Graph
+
+The examples below come from pipeline expected fixtures across three streams: **`salesforce.setupaudittrail`** (true admin audit), **`salesforce.login`** (authentication audit-adjacent), and **`salesforce.apex`** (Apex execution telemetry). Logout is omitted here because it mirrors login semantics with a static `logout` action and no distinct target beyond org scope.
+
+### Example 1: Setup user email verification change
+
+**Stream:** `salesforce.setupaudittrail` · **Fixture:** `packages/salesforce/data_stream/setupaudittrail/_dev/test/pipeline/test-setupaudittrail.log-expected.json`
+
+```
+Admin user (1234j000000q9s7ABC) → changedUserEmailVerifiedStatusVerified → affected user (abc.def@mail.com)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `1234j000000q9s7ABC` |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id` (from `salesforce.setup_audit_trail.created_by_id` / vendor `CreatedById`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `changedUserEmailVerifiedStatusVerified` |
+| source_field | `event.action` |
+| source_value | `changedUserEmailVerifiedStatusVerified` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | `abc.def@mail.com` |
+| type | user |
+| sub_type | setup_entity |
+
+**Field sources:**
+- `name` ← `user.email` (dissected from `salesforce.setup_audit_trail.display`: "For user abc.def@mail.com, …")
+- `sub_type` ← `salesforce.setup_audit_trail.section` (`Manage Users`)
+
+Note: the pipeline writes the affected user's email into ECS `user.email`, conflating actor and target on this stream (see Gaps).
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 1234j000000q9s7ABC"] --> E["changedUserEmailVerifiedStatusVerified"]
+  E --> T["Target: abc.def@mail.com"]
+```
+
+### Example 2: Successful OAuth connected-app login
+
+**Stream:** `salesforce.login` · **Fixture:** `packages/salesforce/data_stream/login/_dev/test/pipeline/test-login-object.log-expected.json`
+
+```
+User (user.name@email.com) → login-attempt → Salesforce login endpoint + connected app
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `0056j000000utlQAAR` |
+| name | `user.name@email.com` |
+| type | user |
+| geo | Surat, Gujarat, India |
+| ip | `89.160.20.112` |
+
+**Field sources:**
+- `id` ← `user.id` (vendor `UserId`)
+- `name` ← `user.email` (vendor `Username`)
+- `geo` ← `source.geo.city_name`, `source.geo.region_name`, `source.geo.country_name`
+- `ip` ← `source.ip` (vendor `SourceIp`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `login-attempt` |
+| source_field | `event.action` |
+| source_value | `login-attempt` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | `login.salesforce.com` |
+| type | service |
+| sub_type | connected_app |
+
+**Field sources:**
+- `name` ← `event.url` (vendor `LoginUrl`)
+- `sub_type` ← `salesforce.login.application` (`elastic integration`)
+
+On successful self-login, the same `user.*` fields describe the principal; the org tenant (`salesforce.login.organization_id`) is implicit scope rather than a separate target identity in fixtures.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: user.name@email.com"] --> E["login-attempt"]
+  E --> T["Target: login.salesforce.com / elastic integration"]
+```
+
+### Example 3: Apex outbound HTTP callout
+
+**Stream:** `salesforce.apex` · **Fixture:** `packages/salesforce/data_stream/apex/_dev/test/pipeline/test-apex.log-expected.json`
+
+```
+Session user (0055j000000PQ01) → apex-callout → external OData endpoint
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `0055j000000PQ01` |
+| type | user |
+| geo | London, England, United Kingdom |
+| ip | `81.2.69.142` |
+
+**Field sources:**
+- `id` ← `user.id` (vendor `USER_ID`)
+- `geo` ← `source.geo.city_name`, `source.geo.region_name`, `source.geo.country_name`
+- `ip` ← `source.ip` (vendor `CLIENT_IP`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `apex-callout` |
+| source_field | `event.action` |
+| source_value | `apex-callout` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | `https://temp.website.here.sh/odata/Random` |
+| type | general |
+| sub_type | URL |
+
+**Field sources:**
+- `name` ← `event.url` (vendor `URL`)
+- `sub_type` inferred from callout semantics; HTTP method `GET` is in `http.request.method` (context, not target identity)
+
+This is Apex execution telemetry rather than IAM configuration audit; the external URL is the primary resource acted upon.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: 0055j000000PQ01"] --> E["apex-callout"]
+  E --> T["Target: temp.website.here.sh/odata/Random"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `salesforce`, four `data_stream/` directories with fixtures and ingest pipelines). Query-time extraction routes on **`data_stream.dataset`** (`salesforce.login`, `salesforce.logout`, `salesforce.setupaudittrail`, `salesforce.apex`). Pass 4 is fill-gaps-only: detection flags preserve existing `*.target.*` and indexed actor columns that are not conflated with setup targets. **`salesforce.setupaudittrail`** promotes display-dissected identity from `user.*` → `user.target.*`; **`salesforce.login`** / **`salesforce.apex`** fill `host.ip` and target columns from vendor fields; **`salesforce.logout`** gets `host.ip` + semantic `service.target.name` only.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `salesforce.setupaudittrail` | admin audit | user | user, general | full |
+| `salesforce.login` | authentication | user, host | service, general | full |
+| `salesforce.logout` | authentication | user, host | service | partial |
+| `salesforce.apex` | Apex telemetry | user, host | general, service | full |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `salesforce.setup_audit_trail.created_by_id` | `data_stream.dataset == "salesforce.setupaudittrail"` | high | **vendor fallback** when `user.id` empty; login/logout/apex `user.id` from `UserId`/`USER_ID` at ingest — **ingest-only — no ES\|QL** |
+| `user.email` | — | `data_stream.dataset IN ("salesforce.login", "salesforce.logout")` | high | **ingest-only** — `Username`/`USER_NAME` → `user.email`; **omit from ES\|QL** |
+| `user.name` | `user.email` | `user.name IS NOT NULL` → preserve; else `data_stream.dataset IN ("salesforce.login", "salesforce.logout")` | high | Column-level preserve — do not gate on `actor_exists` when `user.email` holds principal identity |
+| `user.roles` | — | `data_stream.dataset IN ("salesforce.login", "salesforce.apex")` | high | **ingest-only** — `USER_TYPE`/`UserType` at ingest; **omit from ES\|QL** |
+| `host.ip` | `source.ip` | `data_stream.dataset IN ("salesforce.login", "salesforce.logout", "salesforce.apex")` | high | **vendor fallback** — package indexes `source.ip`, not `host.ip` |
+
+**`actor_exists` predicate (tuned):** `user.id`, `user.roles`, `host.ip` only. Omits `user.email` / `user.name` because on **`salesforce.setupaudittrail`** those fields often hold **affected-user** identity from display dissect, not the author.
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.target.email` | `user.email` | `data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL` | medium | **vendor fallback** — display dissect wrote affected user to `user.email` |
+| `user.target.name` | `user.name` | same | medium | **vendor fallback** |
+| `user.target.domain` | `user.domain` | same | medium | **vendor fallback** — dissected domain in fixtures |
+| `service.target.name` | `"Salesforce"` | `data_stream.dataset == "salesforce.login" AND event.action == "login-attempt"` | high | **semantic literal** — platform target (Pass 3); skipped when connected app present |
+| `service.target.name` | `salesforce.login.application` | `data_stream.dataset == "salesforce.login" AND salesforce.login.application IS NOT NULL` | high | **vendor fallback** — connected app (`elastic integration`, `testing_salesforce`) |
+| `service.target.name` | `"Salesforce"` | `data_stream.dataset == "salesforce.logout" AND event.action == "logout"` | low | **semantic literal** — org/session scope only in fixtures |
+| `entity.target.name` | `event.url` | `data_stream.dataset == "salesforce.login" AND event.action == "login-attempt"` | high | **vendor fallback** — login host / My Domain (`login.salesforce.com`, custom domain) |
+| `entity.target.name` | `event.url` | `data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-callout", "apex-external-custom-callout")` | high | **vendor fallback** — external URL (`https://temp.website.here.sh/odata/Random`) |
+| `entity.target.name` | `salesforce.apex.entity` | `data_stream.dataset == "salesforce.apex" AND event.action == "apex-external-custom-callout"` | high | **vendor fallback** — SObject connector entity (`HealthcareBlog`) |
+| `entity.target.name` | `salesforce.apex.class_name` | `data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution")` | high | **vendor fallback** — Apex class (`ContactResource`) |
+| `entity.target.name` | `salesforce.apex.trigger_name` | `data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger"` | high | **vendor fallback** — trigger name (`HelloWorldTrigger`) |
+| `entity.target.name` | `salesforce.apex.entity_name` | `data_stream.dataset == "salesforce.apex" AND salesforce.apex.entity_name IS NOT NULL` | high | **vendor fallback** — SObject (`Book__c`) |
+| `service.target.id` | `salesforce.apex.trigger_id` | `data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger"` | high | **vendor fallback** — trigger ID (`01q5j000000ClvF`) |
+| `entity.target.type` | literals / `salesforce.setup_audit_trail.section` | per-stream discriminators below | medium | **semantic literal** / section router in fallback only |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.roles IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` / `target_exists` are query-time helpers only — mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` (5-arg), not `CASE(actor_exists, col, …)` or `CASE(target_exists, col, …)`, so a flag true from another column does not skip vendor fallback. `user.name` preserves via `user.name IS NOT NULL`, else `user.email` on login/logout.
+
+### Optional classification helpers (when needed)
+
+`entity.target.type` and `entity.target.sub_type` are set in the **target** `EVAL` fallback branch only (never `target.entity.type`).
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "salesforce.setupaudittrail", salesforce.setup_audit_trail.created_by_id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset IN ("salesforce.login", "salesforce.logout"), user.email,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("salesforce.login", "salesforce.logout", "salesforce.apex"), source.ip,
+    null
+  )
+```
+
+`user.id` on login/logout/apex, `user.email`, and `user.roles` are **not** listed — ingest always sets them (`UserId`/`USER_NAME`/`USER_TYPE`). A `CASE(actor_exists, user.id, …, user.id, null)` branch would be a no-op when empty.
+
+### Combined ES|QL — event action
+
+Omitted — `event.action` is populated at ingest on all four streams (static `login-attempt`/`logout`, `Action` rename on setupaudittrail, Apex `event_type` slug map). No alternate indexed vendor path at query time for fallback.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.email,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.name,
+    null
+  ),
+  user.target.domain = CASE(
+    user.target.domain IS NOT NULL, user.target.domain,
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.domain,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL, salesforce.login.application,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", "Salesforce",
+    data_stream.dataset == "salesforce.logout" AND event.action == "logout", "Salesforce",
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger", salesforce.apex.trigger_id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", event.url,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-callout", event.url,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-external-custom-callout" AND salesforce.apex.entity IS NOT NULL, salesforce.apex.entity,
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution") AND salesforce.apex.class_name IS NOT NULL, salesforce.apex.class_name,
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger" AND salesforce.apex.trigger_name IS NOT NULL, salesforce.apex.trigger_name,
+    data_stream.dataset == "salesforce.apex" AND salesforce.apex.entity_name IS NOT NULL, salesforce.apex.entity_name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", "service",
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Manage Users", "user",
+    data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Connected Apps", "connected_app",
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-callout", "apex-external-custom-callout"), "URL",
+    data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger", "apex_artifact",
+    data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution"), "apex_artifact",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL, "connected_app",
+    data_stream.dataset == "salesforce.setupaudittrail", salesforce.setup_audit_trail.section,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.roles IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(user.id IS NOT NULL, user.id, data_stream.dataset == "salesforce.setupaudittrail", salesforce.setup_audit_trail.created_by_id, null),
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset IN ("salesforce.login", "salesforce.logout"), user.email, null),
+  host.ip = CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset IN ("salesforce.login", "salesforce.logout", "salesforce.apex"), source.ip, null)
+| EVAL
+  user.target.email = CASE(user.target.email IS NOT NULL, user.target.email, data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.email, null),
+  user.target.name = CASE(user.target.name IS NOT NULL, user.target.name, data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.name, null),
+  user.target.domain = CASE(user.target.domain IS NOT NULL, user.target.domain, data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.display IS NOT NULL, user.domain, null),
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL, salesforce.login.application, data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", "Salesforce", data_stream.dataset == "salesforce.logout" AND event.action == "logout", "Salesforce", null),
+  service.target.id = CASE(service.target.id IS NOT NULL, service.target.id, data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger", salesforce.apex.trigger_id, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", event.url, data_stream.dataset == "salesforce.apex" AND event.action == "apex-callout", event.url, data_stream.dataset == "salesforce.apex" AND event.action == "apex-external-custom-callout" AND salesforce.apex.entity IS NOT NULL, salesforce.apex.entity, data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution") AND salesforce.apex.class_name IS NOT NULL, salesforce.apex.class_name, data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger" AND salesforce.apex.trigger_name IS NOT NULL, salesforce.apex.trigger_name, data_stream.dataset == "salesforce.apex" AND salesforce.apex.entity_name IS NOT NULL, salesforce.apex.entity_name, null),
+  entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset == "salesforce.login" AND event.action == "login-attempt", "service", data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Manage Users", "user", data_stream.dataset == "salesforce.setupaudittrail" AND salesforce.setup_audit_trail.section == "Connected Apps", "connected_app", data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-callout", "apex-external-custom-callout"), "URL", data_stream.dataset == "salesforce.apex" AND event.action == "apex-trigger", "apex_artifact", data_stream.dataset == "salesforce.apex" AND event.action IN ("apex-soap", "apex-rest", "apex-execution"), "apex_artifact", null),
+  entity.target.sub_type = CASE(entity.target.sub_type IS NOT NULL, entity.target.sub_type, data_stream.dataset == "salesforce.login" AND event.action == "login-attempt" AND salesforce.login.application IS NOT NULL, "connected_app", data_stream.dataset == "salesforce.setupaudittrail", salesforce.setup_audit_trail.section, null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, host.ip, user.target.email, user.target.name, user.target.domain, service.target.name, service.target.id, entity.target.name, entity.target.type, entity.target.sub_type
+```
+
+### Streams excluded
+
+None — all four datasets receive at least partial extraction. **`salesforce.logout`** is **partial** (semantic `service.target.name` + shared `host.ip`; no `user.target.*` or URL target in fixtures).
+
+### Gaps and limitations
+
+- **setupaudittrail ingest conflation** — `user.email`/`user.name` on actor ECS fields often describe the affected user; `user.target.*` promotion copies them only when `target_exists` is false.
+- **`user.id` on setupaudittrail** — author from `created_by_id` at ingest; never promoted to `user.target.id` (no affected-user ID in fixtures).
+- **`salesforce.setup_audit_trail.delegate_user`** — Login-As delegate; vendor-only, not `user.target.*`.
+- **`event.action`** — ingest-only on all streams; no ES|QL block.
+- **`user.domain` on login/logout** — not indexed; derive from email only if needed (not in ES|QL).
+- **`host.target.*` / `user.target.*` on login** — self-login tautology avoided; platform/connected-app targets use `service.target.*` and `entity.target.name` ← `event.url` per Pass 3.
+- **`salesforce.apex.user_id_derived`** — vendor-only; not wired to `user.id`.
+- **Pass 2 enhancement rows** (`salesforce.setup_audit_trail.display` → description, `cloud.service.name`) — no indexed ECS source; omitted rather than guessed.
diff --git a/dev/domain/p1/servicenow.md b/dev/domain/p1/servicenow.md
new file mode 100644
index 00000000000..99d207dc670
--- /dev/null
+++ b/dev/domain/p1/servicenow.md
@@ -0,0 +1,433 @@
+# servicenow
+
+## Product Domain (ServiceNow ITSM/ITOM)
+
+ServiceNow is a cloud-based enterprise platform for IT service management (ITSM), IT operations management (ITOM), and broader digital workflow automation. Organizations use it as a system of record for service delivery—handling incidents, problems, changes, service requests, and knowledge articles—while maintaining a Configuration Management Database (CMDB) that maps IT assets, applications, infrastructure, and their relationships. The platform is built on a multi-tenant instance model where data lives in relational tables exposed through REST Table APIs, workflow engines, and integrations with discovery and monitoring tools.
+
+At its core, ServiceNow ITSM covers the service lifecycle: incidents for unplanned interruptions, problems for root-cause analysis, change requests and tasks for controlled modifications, and the service catalog for standardized fulfillment (`sc_req_item`). ITOM extends this with CMDB configuration items (servers, VMs, databases, business applications, ESX/Hyper-V hosts, hardware), CI relationships, asset lifecycle records (`alm_hardware`), and location/organizational metadata. User and group tables (`sys_user`, `sys_user_group`, `sys_user_grmember`) underpin assignment, approval, and access context across workflows.
+
+From a security and operations perspective, ServiceNow table records capture who created or updated records, assignment and escalation history, priority/severity/impact, workflow state, and rich asset attributes (IP addresses, hostnames, OS versions, serial numbers, business criticality). Security teams monitor ServiceNow data to correlate IT tickets with infrastructure changes, track CMDB drift, investigate unauthorized configuration updates, and enrich SIEM investigations with authoritative service and asset context.
+
+The Elastic ServiceNow integration ingests table records via Elastic Agent using three collection modes: REST API polling (CEL input with Basic Auth or OAuth2), AWS S3 bucket polling, or AWS SQS notifications for S3 object delivery. Records are normalized into ECS-aligned fields for supported default tables, with table-specific ingest pipelines and Kibana dashboards for incidents, problems, changes, CMDB CIs, service catalog, users, knowledge, and hardware assets.
+
+## Data Collected (brief)
+
+- **Event records** (`servicenow.event`): Table rows from ServiceNow default or custom tables, each tagged by table name (e.g., `incident`, `cmdb_ci_server`). Fields are stored as `.value` and `.display_value` pairs matching the Table API schema, with `@timestamp` derived from a configurable timestamp field (default `sys_updated_on`).
+- **ITSM workflows**: Incidents, problems, change requests, change tasks, and service catalog request items—covering priority, severity, state, assignment, SLA timing, caller/requester, resolution notes, and approval history.
+- **CMDB and ITOM assets**: Configuration items across servers (Linux/Windows), VMs, databases, application servers, business applications, infrastructure services, CI relationships (`cmdb_rel_ci`), hardware/computer records, ESX/Hyper-V hosts, and task-to-CI associations (`task_ci`).
+- **Identity and organization**: Users, groups, group memberships, departments, and locations (`cmn_location`) with optional sensitive-field redaction (phone, address, etc.).
+- **Knowledge and asset management**: Knowledge base articles (`kb_knowledge`) and hardware asset lifecycle records (`alm_hardware`), including warranty, cost, and install status.
+- **Collection metadata**: Input type (`cel` or `aws-s3`), S3 bucket/object context when applicable, `sys_id` for deduplication, and ECS mappings for host, user, event, and related entity fields on supported tables.
+
+## Expected Audit Log Entities
+
+The ServiceNow integration does **not** ingest dedicated audit tables (`sys_audit`, `sysevent`, login history). The single stream **`servicenow.event`** delivers Table API **row snapshots** — each event is the current state of a record at poll time (`@timestamp` from configurable field, default `sys_updated_on`), not a discrete audit action. ITSM/CMDB/identity tables are **inventory and workflow state sync**, audit-adjacent at best: `sys_created_by` / `sys_updated_by` proxy who last touched the row but carry no field-level before/after deltas.
+
+No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated. No `destination.user.*` / `destination.host.*` in pipelines (not in `destination_identity_hits.csv`). Target-fields audit classifies servicenow as **`none`** — no pipeline actor/target tier-A mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is absent** in all fixtures and no ingest pipeline maps to it (grep across `packages/servicenow` returns no `event.action` references). Vendor fields `table_name`, `state`, `sys_class_name`, and `applied` (on `task_ci`) hold the closest operation context but remain vendor-only. Pipelines set `event.kind`, `event.type`, and `event.category` from table name — these describe record class, not the verb that caused the poll snapshot.
+
+Evidence: `packages/servicenow/data_stream/event/sample_event.json`, `_dev/test/pipeline/test-event.log-expected.json` (plus `test-event-aws.log-expected.json`, `test-event-mmdd.log-expected.json`, `test-event-aws-with-display-values.log-expected.json`), `elasticsearch/ingest_pipeline/default.yml` and table-specific pipelines, `fields/fields.yml`.
+
+### Event action (semantic)
+
+Each ingested event is a **Table API row snapshot** at poll time, not a discrete security or workflow action. There is no native audit verb (create/update/delete/login) in the payload — only the record's current field values. The closest semantic signals are the **table polled** (`table_name`), **record class** (`sys_class_name`), **workflow state** (`state`), and on `task_ci` whether a CMDB baseline was **applied** (`applied` + `xml` deltas).
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| (table record sync) | data_access | high | All fixtures — poll delivers full row; `@timestamp` from `sys_updated_on` | **`event`** — no per-event verb; ingestion action is implicit Table API read/sync |
+| `Closed` / `In Progress` / workflow state | configuration_change | partial | Fixtures: incident `state.display_value: Closed` (`INC0000060`); change_request `state: Closed`; problem state values | **`event`** — **state snapshot**, not the action that closed/opened the ticket; do not treat as `event.action` without delta context |
+| `Approved` / `Not Yet Requested` / `Requested` | administration | partial | Fixtures: change_request `approval: Approved`; sc_req_item `approval: Requested`; incident `approval: Not Yet Requested` | **ITSM task tables** — approval status snapshot, not an approval event |
+| CMDB baseline applied | configuration_change | high | `task_ci` fixture: `applied: true`, `xml` with `<update_ci>` / `<add_relationships>` oldValue/newValue pairs | **`task_ci`** — closest to a named change operation; baseline XML encodes field deltas but is not parsed into ECS |
+| `info` / `change` (ECS type) | — | partial | `default.yml` L143–152: `event.type: info` for CMDB tables; `change` for `change_task`; table pipelines append `info` | Pipeline-derived record classification — not a vendor action verb |
+| (none — inventory/asset sync) | — | high | CMDB CI fixtures (`cmdb_ci_server`, `alm_hardware`): `event.kind: asset`, `event.type: info` | **CMDB/asset tables** — asset state sync; no meaningful per-event action beyond table sync |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | yes | Not set in any pipeline or fixture |
+| `servicenow.event.table_name` | no | n/a | `incident`, `cmdb_ci_server`, `task_ci`, `sys_user`, … | yes | Primary sync-context candidate; fixtures tag every row (e.g. `sample_event.json`: `table_name: incident`); `default.yml` L70–72 rename only — no copy to `event.action` |
+| `servicenow.event.sys_class_name.display_value` | no | n/a | `Incident`, `Change Request`, `Server`, `User` | partial | Record class label; alternate when table name is generic (`cmdb_ci`); fixture: incident `sys_class_name: Incident` |
+| `servicenow.event.state.display_value` | no | partial | `Closed` | partial | Workflow state snapshot — **not** an action verb; use only as suffix if composing `table-sync` + state (e.g. `incident-state-closed`) |
+| `servicenow.event.approval.value` | no | partial | `approved`, `not requested`, `requested` | partial | ITSM approval status; fixture on change_request, sc_req_item, incident |
+| `servicenow.event.applied.value` | no | n/a | `true` | yes | **`task_ci`** only — CMDB change applied flag; fixture `applied: true` with baseline `xml` |
+| `event.type` | no | n/a | `info`, `change` | no | `default.yml` L143–152, table pipelines — record category, not action; do not substitute for `event.action` |
+| `event.category` | no | n/a | `configuration`, `threat`, `host`, `iam`, `database`, `package` | no | Table-routed categories (`default.yml` L154–193; `pipeline_incident.yml` L13–15); describes record domain |
+| `event.severity` | yes | yes | `3` (incident) | no | `pipeline_incident.yml` L206–208: `severity.value` → `event.severity`; records priority, not action |
+| `servicenow.event.sys_updated_by.*` | no | n/a | — | no | Identifies last modifier (actor), not the operation performed |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event` (all tables) | no | no | `servicenow.event.table_name` → e.g. `incident`, `cmdb_ci_server` | high | All fixtures; no `event.action` in `event` block; recommend static prefix `table-sync-` + table name if mapped |
+| `event` — `task_ci` | no | no | `servicenow.event.applied.value` → `cmdb-baseline-applied` when true | medium | `test-event.log-expected.json` task_ci row; baseline `xml` has `<update_ci>` / `<add_relationships>` deltas |
+| `event` — ITSM tasks | no | no | `servicenow.event.state.display_value` as context only (e.g. `Closed`) | partial | Incident/change/problem/sc_req_item fixtures; state is snapshot, not verb |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Record creator | user | — | high | `sys_created_by` → `servicenow.event.sys_created_by` + `related.user`; fixtures: `employee`, `admin`, `glide.maint` | **All tables** — creator username; may be bootstrap/service account |
+| Record last updater | user | — | high | `sys_updated_by` → `servicenow.event.sys_updated_by` + `related.user`; fixtures: `admin`, `system`, `employee`, `developer.program.hop@snc` | **All tables** — last modifier on polled snapshot; closest proxy for change actor |
+| Task opener | user | — | high | `opened_by` → `user.name` (`default.yml` set_user_name_from_opened_by_display_value) + `related.user`; fixtures: `Joe Employee`, `Don Goodliffe` | **ITSM task tables** (`incident`, `problem`, `change_request`, `change_task`, `sc_req_item`) — ECS `user.name` is opener, not last updater |
+| Incident caller / requester | user | — | high | `caller_id` → `related.user` only (`pipeline_incident.yml`); fixture: `Joe Employee` on `INC0000060` | **`incident`** — affected/requesting user; semantically a **target** user, not action initiator |
+| Assignee | user | — | high | `assigned_to` → `related.user`; fixtures: `David Loo`, `Carol Coughlin` | **Task tables**, **`alm_hardware`** — current owner, not initiator |
+| Resolver / closer / reopener | user | — | high | `resolved_by`, `closed_by`, `reopened_by` → `related.user`; fixture: `David Loo` (`resolved_by`), `Joe Employee` (`closed_by`) | **`incident`**, **`problem`**, **`change_request`** — lifecycle participants |
+| CMDB / asset steward | user | — | medium | `managed_by`, `owned_by`, `supported_by`, `attested_by` → `related.user`; fixture: `Bow Ruggeri` (`managed_by` on `cmdb_ci_server`) | **CMDB CI**, **`alm_hardware`** — operational ownership context |
+| Problem confirmer | user | — | medium | `confirmed_by` → `related.user` (`pipeline_problem.yml`); fixture: `Problem Coordinator A` | **`problem`** only |
+| Knowledge author | user | — | high | `author` → `user.full_name` (`pipeline_kb_knowledge.yml`); fixture: `Ron Kettering` | **`kb_knowledge`** — article author |
+| Department / location head | user | — | high | `dept_head` → `user.full_name` + `related.user` (`pipeline_cmn_location.yml`); fixture: `Nelly Jakuboski` | **`cmn_department`**, **`cmn_location`** |
+| Group membership subject | user | — | high | `user` → `user.name` (`pipeline_sys_user.yml`); fixture: `Arron Ubhi` | **`sys_user_grmember`** — member linked to group |
+| Platform / integration account | service | — | medium | `sys_updated_by` / `sys_created_by` values `system`, `glide.maint`; `internal_integration_user` on `sys_user` | **CMDB**, **hardware** fixtures — automated accounts in `related.user` only |
+
+**No discrete audit actor:** Row snapshots lack login session, impersonation, or API-call principal context. Elastic Agent collection credentials are not event actors.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name` | Task opener; group member | yes (table-dependent) | partial | high | `opened_by.display_value` copy (`default.yml`); overridden on `sys_user_grmember` by `user.display_value` (`pipeline_sys_user.yml`); on **`incident`**, opener ≠ `sys_updated_by` |
+| `user.full_name` | KB author; dept/location head | yes | yes | high | `author.display_value` (`pipeline_kb_knowledge.yml`); `dept_head.display_value` (`pipeline_cmn_location.yml`) |
+| `user.email` / `user.domain` | User account email | yes | yes | high | `email.display_value` + dissect (`default.yml`); fixture: `survey.user@email.com` on **`sys_user`** |
+| `related.user` | Creator, updater, assignee, caller, stewards, CI names | yes | partial | high | Global append processors (`default.yml` L4657–4758); table pipelines add `caller_id`, `confirmed_by`, `caused_by`; **conflates actors, targets, and CI `name` values** |
+| `servicenow.event.sys_created_by.*` | Record creator (vendor canonical) | no (vendor-only) | n/a | high | Retained under vendor namespace; also mirrored in `related.user` |
+| `servicenow.event.sys_updated_by.*` | Last modifier (vendor canonical) | no (vendor-only) | n/a | high | Same; primary change-actor signal when correlating polls |
+| `servicenow.event.opened_by.*` | Task opener reference | no (vendor-only) | n/a | high | `value` holds sys_id; `display_value` drives ECS `user.name` |
+| `servicenow.event.caller_id.*` | Incident requester | no (vendor-only) | n/a | high | `pipeline_incident.yml` appends display_value to `related.user` only |
+| `servicenow.event.internal_integration_user.*` | Integration account flag | no (vendor-only) | n/a | medium | `pipeline_sys_user.yml` — boolean on **`sys_user`** rows |
+| `related.ip` | CMDB asset IP (context) | yes | yes (context) | medium | `ip_address` append (`default.yml`); asset attribute, not actor endpoint |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | SaaS platform holding the record | ServiceNow instance | service | — | medium | `servicenow.event.sys_domain`, `table_name`; no `cloud.service.name` in pipeline | Conceptual Layer 1 — instance/tenant scope, not mapped to ECS service target |
+| 2 — Resource / object | Table row acted upon | ITSM ticket, CMDB CI, user account, org unit | user / host / general | incident, cmdb_ci, sys_user, … | high | `sys_id` → `event.id`; `table_name` / `sys_class_name`; CMDB: `host.*`, `device.*`; user: `sys_user` row | Primary target is the **ingested row**; linked refs (`cmdb_ci`, `business_service`) stay vendor-only |
+| 3 — Content / artifact | Description, baseline, ticket text | Ticket description, KB body, change baseline XML | general | ticket_description, kb_article, cmdb_baseline | high | `description` → `message`; `short_description`, `work_notes`, `xml` vendor-only; fixture: incident `message` on `INC0000060` | Layer 3 is record payload, not a separate audit event |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `event.id` | 2 | general | yes | yes | `entity.target.id` | yes | `sys_id.display_value` copy (`default.yml`); canonical record identifier |
+| `servicenow.event.table_name` | 2 | general | no | n/a | context-only | no | Tags + routing to table pipelines; defines target type |
+| `servicenow.event.number` / `task_effective_number` | 2 | general | no | n/a | context-only | no | Fixtures: `INC0000060`, `PRB0000050`, `CHG0000024`, `RITM0000002` |
+| `host.hostname` | 2 | host | partial | yes | `host.target.name` | yes | `host_name.display_value` copy; empty in `cmdb_ci_server` fixture — populated when field present |
+| `host.ip` | 2 | host | partial | yes | `host.target.ip` | yes | `ip_address.display_value` copy + `related.ip`; fixtures: `10.10.20.21`, `1.128.0.0` |
+| `host.os.name` / `host.os.version` | 2 | host | yes | yes | `host.target.os.*` | yes | `os` / `os_version` copy; fixture: Linux/Windows/ESXi on CMDB CIs |
+| `host.geo.*` | 2 | general | yes | partial | context-only | no | `location` → `host.geo.name`; `city`/`country`/`time_zone` on **`cmn_location`** — org location, not host geo |
+| `device.model.name` / `device.manufacturer` / `device.id` | 2 | host | yes | yes | `host.target.*` | yes | **`alm_hardware`**, CMDB hardware rows; fixture: `Gateway DX Series` |
+| `organization.name` | 2 | general | yes | yes | context-only | no | `company.display_value` copy; fixture: `ACME North America` |
+| `message` | 3 | general | partial | yes | context-only | no | `description.display_value` copy; incident/department fixtures; `short_description` **not** mapped |
+| `servicenow.event.cmdb_ci.*` | 2 | host | no | n/a | `host.target.*` | yes | Incident fixture: `Storage Area Network 001`; impacted CI reference, not ECS `host.name` |
+| `servicenow.event.business_service.*` | 2 | service | no | n/a | `service.target.*` | yes | Incident fixture: `Email`; business service impacted |
+| `servicenow.event.caller_id.*` | 2 | user | no | n/a | `user.target.*` | yes | Incident requester in `related.user` only — de-facto target user, not `destination.user.*` |
+| `servicenow.event.name.*` | 2 | host / general | no | n/a | `entity.target.name` | yes | CMDB CI name; erroneously also appended to `related.user` (`default.yml` L4724–4728) |
+| `servicenow.event.user_name.*` / `roles` / `active` | 2 | user | no | n/a | `user.target.*` | yes | **`sys_user`** identity record; `user.email` mapped, `user.name` not set from `user_name` |
+| `servicenow.event.parent` / `child` / `type` | 2 | general | no | n/a | `entity.target.*` | yes | **`cmdb_rel_ci`** relationship edge |
+| `servicenow.event.task` / `ci_item` / `xml` | 2–3 | general | no | n/a | `entity.target.*` | yes | **`task_ci`** — change-to-CI link; optional baseline XML with CMDB deltas |
+| `event.provider` | 1 | service | partial | partial | context-only | no | `source.display_value` copy — discovery/integration source on CMDB rows, not ServiceNow platform |
+
+### Gaps and mapping notes
+
+- **Not true audit logs** — no `sys_audit`/`sysevent`; row snapshots lack action type, outcome, and field-level change history (except partial `task_ci` baseline XML). For ACL/script/impersonation trails, ingest audit tables separately.
+- **`event.action` gaps** — no pipeline mapping; recommend primary candidate `servicenow.event.table_name` with normalized prefix (e.g. `table-sync-incident`). Do **not** map `state` or `approval` directly to `event.action` without change detection — they are current-state fields on snapshots. For **`task_ci`**, consider `cmdb-baseline-applied` when `applied: true` and parse `xml` for specific operations (`update_ci`, `add_relationships`) in a future enhancement.
+- **No ECS `*.target.*` or `destination.*` de-facto targets** — target identity lives in generic ECS fields (`event.id`, `host.*`, `user.email`) and vendor `servicenow.event.*`; enhancement candidates above.
+- **`user.name` actor/target ambiguity** — global pipeline sets from `opened_by`, but on **`incident`** the requester (`caller_id`) and last updater (`sys_updated_by`) differ; `caller_id` is semantically a **user target** stuck in `related.user`.
+- **`related.user` conflation** — mixes creators, updaters, assignees, callers, stewards, department names (`Sales`), and CI/service names (`Service-now Production Sacramento`, `SAP Enterprise Services`) via blanket `name.display_value` append; no actor vs target distinction.
+- **`host.geo.*` on CMDB/location rows** — maps physical site address (`location`), not the CI's network endpoint; `host.ip` is the asset IP when present.
+- **Target-fields audit alignment** — `none`: inventory/workflow sync semantics; actor fields exist (`related.user`, conditional `user.name`) but no tier-A ECS target mapping and no `destination.user`/`destination.host` pattern.
+
+### Per-stream notes
+
+#### `event`
+
+Single data stream; semantics driven by `servicenow.event.table_name` and table-specific sub-pipelines (`pipeline_incident`, `pipeline_problem`, `pipeline_change_request`, `pipeline_sc_req_item`, `pipeline_kb_knowledge`, `pipeline_sys_user`, `pipeline_cmdb_ci_business_app`, `pipeline_cmn_location`, `pipeline_alm_hardware`, `pipeline_task_ci`). Collection via CEL REST polling or AWS S3/SQS; `@timestamp` from configured timestamp field (default `sys_updated_on`). Deduplicate on `event.id` (`sys_id`) + `@timestamp` for polling updates.
+
+**ITSM tables** (`incident`, `problem`, `change_request`, `change_task`, `sc_req_item`): `event.kind: event`. **Action:** no `event.action`; vendor `state`/`approval` are workflow snapshots (fixtures: `Closed`, `Approved`). Actor: `user.name` = opener; `sys_updated_by` in `related.user`. Target Layer 2: ticket (`event.id`, vendor `number`); linked CI (`cmdb_ci.*` vendor-only); Layer 3: `message` from `description`.
+
+**CMDB CI tables** (`cmdb_ci_server`, `cmdb_ci_vm`, …): `event.kind: asset` or `event`. **Action:** table sync only (`event.type: info`, `event.category: host`/`configuration` per table). Target Layer 2: infrastructure asset via `host.*`/`device.*`; actor limited to `sys_updated_by`/`sys_created_by` in `related.user`.
+
+**Identity tables** (`sys_user`, `sys_user_group`, `sys_user_grmember`): `event.kind: asset`, `event.category: iam`. **Action:** table sync only. Target Layer 2: user/group/membership record; `user.email` on **`sys_user`**; group member → `user.name`.
+
+**`task_ci`**: Associates change/incident task with CI. **Action:** `applied: true` + baseline `xml` (`update_ci`, `add_relationships`) — best change-delta signal; not mapped to `event.action`. Closest the integration gets to naming a configuration change operation.
+
+## Example Event Graph
+
+These examples come from the single **`servicenow.event`** stream (Table API row snapshots via CEL or AWS S3/SQS). They are **not true audit logs** — each event is the current state of a record at poll time, audit-adjacent at best.
+
+### Example 1: Closed incident snapshot
+
+**Stream:** `servicenow.event` · **Fixture:** `packages/servicenow/data_stream/event/_dev/test/pipeline/test-event.log-expected.json`
+
+```
+employee (last updater) → incident (table sync) → INC0000060 (closed incident ticket)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | employee |
+| type | user |
+
+**Field sources:**
+- `id ← servicenow.event.sys_updated_by.display_value` — last modifier on the polled row snapshot (not necessarily the user who closed the ticket; `closed_by` is Joe Employee in the same fixture)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | incident |
+| source_field | `servicenow.event.table_name` |
+| source_value | `incident` |
+
+**Not mapped to ECS today.** Workflow context (`state.display_value: Closed`, `approval.value: not requested`) is a current-state snapshot, not the verb that closed the ticket.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 1c741bd70b2322007518478d83673af3 |
+| name | INC0000060 |
+| type | general |
+| sub_type | incident |
+
+**Field sources:**
+- `id ← event.id` (from `servicenow.event.sys_id.display_value`)
+- `name ← servicenow.event.number.display_value`
+- `sub_type ← servicenow.event.sys_class_name.display_value` (`Incident`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: employee"] --> E["incident (table sync)"]
+  E --> T["Target: INC0000060"]
+```
+
+### Example 2: CMDB baseline applied on change task
+
+**Stream:** `servicenow.event` · **Fixture:** `packages/servicenow/data_stream/event/_dev/test/pipeline/test-event.log-expected.json`
+
+```
+admin → cmdb-baseline-applied → Blackberry (CI linked to CHG0000031)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | admin |
+| type | user |
+
+**Field sources:**
+- `id ← servicenow.event.sys_updated_by.display_value`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | cmdb-baseline-applied |
+| source_field | `servicenow.event.applied.value` |
+| source_value | `true` |
+
+**Not mapped to ECS today.** Baseline `xml` in the same fixture encodes `<update_ci>` and `<add_relationships>` field deltas but is not parsed into ECS.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 27d3f35cc0a8000b001df42d019a418f |
+| name | Blackberry |
+| type | host |
+
+**Field sources:**
+- `id ← servicenow.event.ci_item.value`
+- `name ← servicenow.event.ci_item.display_value`
+- Change task reference: `servicenow.event.task.display_value` = `CHG0000031` (vendor-only context for the CI link row)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: admin"] --> E["cmdb-baseline-applied"]
+  E --> T["Target: Blackberry"]
+```
+
+### Example 3: CMDB server asset sync
+
+**Stream:** `servicenow.event` · **Fixture:** `packages/servicenow/data_stream/event/_dev/test/pipeline/test-event.log-expected.json`
+
+```
+system (integration account) → cmdb_ci_server (table sync) → Service-now Production Sacramento
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | system |
+| type | service |
+| sub_type | service_account |
+
+**Field sources:**
+- `id ← servicenow.event.sys_updated_by.display_value` — automated platform account, not a human operator endpoint
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | cmdb_ci_server |
+| source_field | `servicenow.event.table_name` |
+| source_value | `cmdb_ci_server` |
+
+**Not mapped to ECS today.** Pipeline sets `event.kind: asset`, `event.type: info`, `event.category: host` — record classification only.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 106c5c13c61122750194a1e96cfde951 |
+| name | Service-now Production Sacramento |
+| type | host |
+| geo | 5052 Clairemont Drive, San Diego,CA |
+
+**Field sources:**
+- `id ← event.id` (from `servicenow.event.sys_id.display_value`)
+- `name ← servicenow.event.name.display_value`
+- `geo ← host.geo.name` (from `servicenow.event.location.display_value` — physical site address, not network endpoint)
+- `host.os.name ← Linux Red Hat`, `host.os.version ← Enterprise Server 3` (asset attributes on the same fixture row)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: system"] --> E["cmdb_ci_server (table sync)"]
+  E --> T["Target: Service-now Production Sacramento"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `servicenow`, single `data_stream/event` with Tier A fixtures: `sample_event.json`, `test-event.log-expected.json`, and table-specific ingest pipelines). Router: **`data_stream.dataset == "servicenow.event"`**. Pass 4 is **fill-gaps-only**: detection flags preserve existing `user.*`, `host.*`, `*.target.*`, and `event.action` before fallbacks. Table API **row snapshots** (ITSM, CMDB, identity, hardware) are inventory/workflow sync — not discrete audit logs (`sys_audit` / `sysevent` are not ingested). Pass 3 semantics apply for correlation only; **`sys_updated_by` / `opened_by` are poll-time modifiers**, not verified audit principals. **Actor and target `EVAL` are omitted** (would misrepresent snapshots); **`event.action` only** is filled from `servicenow.event.table_name` and `task_ci` `applied` when absent at ingest. **Pass 4 (tautology + CASE syntax):** no `CASE(col, col, …)` identity fallbacks — ingest-populated `user.name`, `user.full_name`, `user.email`, `host.*`, and `event.id` are **ingest-only — no ES|QL** (no alternate query-time audit source); do not emit `CASE(actor_exists, user.name, …, user.name, null)` or promote `event.id` / `host.ip` to `*.target.*`. `event.action` uses **column-level** `CASE(event.action IS NOT NULL, event.action, …)` (7-arg) — not `CASE(action_exists, event.action, …)`; detection flags are helpers only. Fallback branches use literal `"cmdb-baseline-applied"` and `servicenow.event.table_name`, never `event.action` in the fallback path.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `servicenow.event` | table row sync (all polled tables) | user, service (snapshot proxy) | user, host, general (record subject) | partial (action only) |
+
+### Field mapping plan
+
+No actor or target output columns — generic ECS (`user.name`, `user.email`, `host.*`, `event.id`) and vendor `servicenow.event.*` describe record state, not normalized audit actor/target identity. See **Streams excluded** and **Gaps**.
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit actor `EVAL` — snapshot proxies only |
+| `user.name` | — | `data_stream.dataset == "servicenow.event"` | high | **ingest-only — no ES\|QL** — `opened_by.display_value` (`default.yml`); `sys_user_grmember` override (`pipeline_sys_user.yml`); **omit** — `CASE(actor_exists, user.name, user.name, null)` is identity no-op |
+| `user.full_name` | — | `data_stream.dataset == "servicenow.event"` | high | **ingest-only — no ES\|QL** — `author` / `dept_head` (`pipeline_kb_knowledge.yml`, `pipeline_cmn_location.yml`); **omit** |
+| `user.email` | — | `data_stream.dataset == "servicenow.event"` | high | **ingest-only — no ES\|QL** — `email.display_value` + dissect (`default.yml`); **`sys_user`** fixtures only; **omit** |
+| `user.id` | — | — | high | **omit** — not mapped at ingest; vendor `sys_updated_by.value` is sys_id, not ECS `user.id`; no defensible fallback without misclassifying snapshot modifier |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | No audit target `EVAL` — record subject is inventory/workflow state |
+| `entity.target.id` / `host.target.*` / `user.target.*` | — | — | high | **omit** — `event.id`, `host.*`, `servicenow.event.caller_id.*` describe the synced row, not audit targets; `CASE(target_exists, event.id, event.id, null)` or `user.id` → `user.target.id` would duplicate inventory subject |
+
+**Event action (fill-gaps only):**
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `"cmdb-baseline-applied"` | `data_stream.dataset == "servicenow.event" AND TO_BOOLEAN(servicenow.event.applied.value) == true` | medium | **semantic literal** — Pass 3 Example 2; `task_ci` fixture only |
+| `event.action` | `servicenow.event.table_name` | `data_stream.dataset == "servicenow.event" AND servicenow.event.table_name IS NOT NULL` | high | **vendor fallback** — sync context (`incident`, `cmdb_ci_server`, …); not a security verb; fallback ≠ output column (maps vendor field into `event.action`) |
+| `event.action` | — | — | high | **preserve** — `CASE(event.action IS NOT NULL, event.action, …)` only; never `CASE(…, event.action, …, event.action, null)` in fallback |
+
+Do **not** map `servicenow.event.state.*` or `servicenow.event.approval.*` to `event.action` (workflow snapshots per Pass 2).
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.full_name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` includes `user.full_name` (`kb_knowledge`, `cmn_location` pipelines) and `user.name` (ITSM `opened_by`, `sys_user_grmember`). No ECS `*.target.*` at ingest — `target_exists` is false on all Tier A fixtures. Actor/target columns are not mapped below; flags support cross-integration queries and future ingest promotion. Populated ingest-only columns must not drive tautological `CASE(actor_exists, col, …, col, null)` actor/target branches.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(event.action IS NOT NULL, event.action, servicenow.event.table_name, null)` (4 args — `servicenow.event.table_name` is a **condition**). Right: **7-arg** `CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "servicenow.event" AND …, <fallback>, …, null)`. Do not use `CASE(action_exists, event.action, …)` for preserve — `action_exists` is equivalent here but column-level preserve is required when other flags could be true (Pass 4 §10). Never **4-arg** `CASE(actor_exists, user.name, user.full_name, null)` (`user.full_name` parses as a condition).
+
+### Combined ES|QL — actor fields
+
+Not applicable — actor normalization excluded (table sync / inventory; see Gaps). Do not emit `CASE(actor_exists, user.name, user.name, null)`, `CASE(actor_exists, user.email, user.email, null)`, or `sys_updated_by` → `user.id` without ingest tier-A mapping — ingest-only with no alternate query-time source (`default.yml`, table pipelines).
+
+### Combined ES|QL — event action
+
+`event.action` is absent in all fixtures and pipelines today; fallback supplies Pass 3 sync labels only when `event.action` is null. **Column-level preserve** — fallbacks use literal `"cmdb-baseline-applied"` and `servicenow.event.table_name`, not `event.action` (Pass 4 rule #10).
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "servicenow.event" AND TO_BOOLEAN(servicenow.event.applied.value) == true, "cmdb-baseline-applied",
+    data_stream.dataset == "servicenow.event" AND servicenow.event.table_name IS NOT NULL, servicenow.event.table_name,
+    null
+  )
+```
+
+Prefer ingest-time mapping (`table-sync-` + `table_name`, or parsed `xml` verbs) before relying on query-time `table_name` alone.
+
+### Combined ES|QL — target fields
+
+Not applicable — target normalization excluded (inventory subject ≠ audit target; see Gaps). Do not emit `CASE(target_exists, host.ip, host.ip, null)` or promote `event.id` / `host.hostname` to `host.target.*` / `entity.target.id` — ingest-only inventory subject fields with no alternate audit target source.
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.full_name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "servicenow.event" AND TO_BOOLEAN(servicenow.event.applied.value) == true, "cmdb-baseline-applied",
+    data_stream.dataset == "servicenow.event" AND servicenow.event.table_name IS NOT NULL, servicenow.event.table_name,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, servicenow.event.table_name, servicenow.event.sys_updated_by.display_value, user.name, event.id
+```
+
+### Streams excluded (actor / target)
+
+- **`servicenow.event`** (all tables) — Polled row state via REST/S3; no field-level change history except unparsed `task_ci` baseline `xml`. `state` / `approval` are workflow snapshots, not verbs. For ACL/script/impersonation trails, ingest `sys_audit` separately.
+
+### Gaps and limitations
+
+- **Target-fields audit `none`:** No ECS `*.target.*` or `destination.*`; wiring `event.id`, `host.*`, or `servicenow.event.caller_id.*` into `*.target.*` at query time would misrepresent poll snapshots as audit targets.
+- **`user.name` actor/target ambiguity:** Global pipeline sets `user.name` from `opened_by` while `caller_id` (incident requester) shares `related.user` — actor `CASE` from `sys_updated_by` would guess wrong across tables.
+- **`related.user` conflation:** Mixes creators, updaters, assignees, callers, stewards, and CI/service names — unsuitable for `user.target.*` without ingest split.
+- **`event.action` from `table_name`:** Labels sync context (`incident`, `cmdb_ci_server`), not who performed a change; `cmdb-baseline-applied` covers only `applied.value == true` on `task_ci`.
+- **`task_ci` baseline XML:** `<update_ci>` / `<add_relationships>` deltas are unparsed — no reliable per-operation `event.action` at query time.
+- **Enhancement path:** Ingest audit tables or add change-detection ingest processors (and tier-A `*.target.*`) before full actor/target ES|QL normalization.
+- **No tautological CASE (Pass 4 #10):** `user.name`, `user.full_name`, `user.email`, `host.*`, and `event.id` are ingest-only record-subject columns; there is no query-time vendor path for audit actor/target extraction. `event.action` ES|QL is limited to column-level preserve plus `servicenow.event.applied.value` / `servicenow.event.table_name` fallbacks — not `CASE(…, event.action, …, event.action, null)`.
+- **Pass 4 CASE syntax** — `event.action` uses **7-arg** `CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "servicenow.event" AND …, <fallback>, …, null)`; never **4-arg** `CASE(action_exists, event.action, servicenow.event.table_name, null)` (`table_name` parses as a condition). Detection flags (`actor_exists`, `target_exists`, `action_exists`) are query-time helpers only — not used as the first `CASE` branch on mapped columns. Full pipeline fragment aligned with the combined `event.action` block. No actor/target `EVAL` blocks (ingest-only columns; no alternate audit sources in `packages/servicenow` fixtures).
diff --git a/dev/domain/p1/slack.md b/dev/domain/p1/slack.md
new file mode 100644
index 00000000000..2076a41e72e
--- /dev/null
+++ b/dev/domain/p1/slack.md
@@ -0,0 +1,459 @@
+# slack
+
+## Product Domain
+
+Slack is a cloud-based team collaboration and messaging platform used by organizations as their primary hub for workplace communication. Users interact through workspaces—dedicated environments where teams organize conversations in channels (public or private), direct messages, and shared resources such as files and apps. Slack supports integrations with third-party tools, custom workflows, and OAuth-based applications, making it both a communication layer and an operational workflow surface for modern enterprises.
+
+At the organizational level, Slack is structured around workspaces and, for larger customers, Enterprise Grid. Enterprise Grid lets a company manage multiple connected workspaces under a single enterprise account, with centralized administration, shared channels across org boundaries, and unified identity and access controls. Core entities in the Slack domain include users (with roles such as member, guest, admin, and owner), user groups, channels, files, installed apps, workflows, and information barriers that restrict communication between user groups.
+
+From a security and compliance perspective, Slack records administrative and user activity as audit events. These events capture who performed an action (the actor), what was affected (the entity—user, file, channel, app, role, message, and others), and contextual metadata such as IP address, user agent, session identifier, and workspace or enterprise scope. Slack also surfaces anomaly detections—for example, logins from unusual locations or ASNs—and file security events such as malicious content detection. The Audit Logs API, which exposes this history, is available only on Slack Enterprise Grid plans.
+
+The Elastic Slack integration focuses on ingesting these audit logs for search, observability, and security use cases. It polls Slack's REST API using an OAuth token with the `auditlogs:read` scope, normalizes events into ECS-aligned fields, and enriches them with geo-IP and user-agent parsing. This enables security teams to monitor authentication activity, identity and access changes, file handling, app installations, and anomalous behavior across Slack workspaces or an entire enterprise grid.
+
+## Data Collected (brief)
+
+- **Audit logs** (`slack.audit`): Administrative and security-relevant activity from Slack Enterprise Grid workspaces, collected via the Slack Audit Logs API.
+- **Event actions**: User authentication (login, logout, failed login, session invalidation), user lifecycle and role changes, user group membership and configuration, file operations (upload, download, share, public links, blocked downloads, malicious content detection), and anomaly alerts.
+- **Actor and entity details**: User IDs, names, emails, and teams; entity types including workspace, enterprise, user, file, channel, app, workflow, usergroup, barrier, message, and role—with type-specific attributes (file type, channel privacy, app scopes, and similar).
+- **Context and enrichment**: Workspace or enterprise name, domain, and ID; session ID; source IP with geo-IP and ASN enrichment; user agent; anomaly reasons and prior IP/user-agent values; file hashes and private URLs where applicable.
+
+## Expected Audit Log Entities
+
+The integration exposes a single true audit stream — **`slack.audit`** — polling Slack Enterprise Grid Audit Logs API (`auditlogs:read`). There are no metrics, inventory, or finding streams. Slack events carry a native **`action`** (operation performed), **`actor`** (who performed it), **`entity`** (what was affected), and **`context`** (workspace/enterprise scope, session, client IP/UA). Evidence: `packages/slack/data_stream/audit/sample_event.json`, `packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json`, `packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml`, `packages/slack/data_stream/audit/fields/fields.yml`, `dev/target-fields-audit/out/target_enhancement_packages.csv` (`slack`, `moderate_candidate`, all `has_*_target` false, `has_vendor_target_fields: true`).
+
+**`event.action` is populated** on every fixture and `sample_event.json` via pipeline rename `slack.action` → `event.action` (`default.yml` L28–31). Vendor-native action strings are preserved verbatim (e.g. `user_login`, `file_downloaded`, `anomaly`). A downstream Painless script (`default.yml` L260–447) enriches `event.category`, `event.type`, and `event.outcome` for ~30 known actions; **`anomaly`** is not in that lookup table and receives only default `event.type: ["info"]`.
+
+No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated (`target_fields_audit.csv` has no `slack` row). The package does not use `destination.user.*` or `destination.host.*` de-facto target fields (`destination_identity_hits.csv` has no `slack` row). Target identity lives almost entirely under `slack.audit.entity.*`.
+
+### Event action (semantic)
+
+Slack audit events record a vendor **`action`** string naming the operation. The pipeline copies it directly to ECS `event.action` without normalization. Fixture-covered actions span authentication, IAM, file access, anomaly detection, and malware.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `user_login` | authentication | high | `test-audit.log-expected.json` event 1; `event.original` `"action":"user_login"` | Script sets `event.category: [authentication, session]`, `event.type: [info, start]`, `event.outcome: success` |
+| `user_created` | administration | high | `test-audit.log-expected.json` event 2 | Script sets `event.category: [iam]`, `event.type: [creation, user]` |
+| `file_downloaded` | data_access | high | `test-audit.log-expected.json` event 3 | Script sets `event.category: [file]`, `event.type: [access]` |
+| `anomaly` | detection | high | `test-audit.log-expected.json` events 4–5; `sample_event.json` | Slack anomaly alert (ASN/IP/UA/session fingerprint); **not** in categorization script — no `event.category` / `event.outcome` enrichment |
+| `file_malicious_content_detected` | detection | high | `test-audit.log-expected.json` event 6 | Script sets `event.category: [file, malware]`, `event.type: [info]` |
+
+The pipeline categorization script (`default.yml` L264–437) defines additional actions not covered by fixtures but supported at ingest: authentication (`user_login_failed`, `user_logout`, `user_session_invalidated`, `user_session_reset_by_admin`), IAM lifecycle and role changes (`user_deactivated`, `user_reactivated`, `role_change_to_*`, `user_email_updated`), user-group operations (`user_added_to_usergroup`, `role_modified_on_usergroup`, etc.), and file operations (`file_uploaded`, `file_downloaded_blocked`, `file_public_link_created`, `file_shared`, etc.). Confidence for unfixtured actions is **medium** — derived from pipeline params only.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `slack.action` → `event.action` | yes | yes | `user_login`, `user_created`, `file_downloaded`, `anomaly`, `file_malicious_content_detected` | no | `rename` L28–31; all six pipeline fixtures + `sample_event.json` |
+| `event.original` JSON `action` | yes (source) | yes | Same vendor values in raw payload | no | Preserved in `event.original`; canonical source before rename |
+| Painless categorization params (`event.action` key) | n/a (downstream) | partial | Maps ~30 actions to `event.category` / `event.type` / `event.outcome` | yes (for `anomaly`) | Script L437–447 keys off `event.action`; **`anomaly` absent** — fixtures show only `event.type: [info]` with no category/outcome |
+| `event.type` / `event.category` / `event.outcome` | n/a | partial | Derived from action, not independent action sources | partial | Do not substitute for `event.action`; they are enrichments keyed on it |
+| `slack.audit.details.reason` | no | n/a | — | no | Anomaly sub-signals (`asn`, `ip_address`, …); qualifies the `anomaly` action, not a separate operation name |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `slack.audit` | yes (all events) | yes | `slack.action` (vendor JSON `action`) | high | `rename` L28–31; six `test-audit.log-expected.json` events + `sample_event.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Slack user principal | user | — | high | Every fixture and `sample_event.json` show `actor.type: "user"` with `actor.user.id/name/email`. Actions span auth (`user_login`), IAM (`user_created`), file access (`file_downloaded`), anomaly detection, and malware (`file_malicious_content_detected`). | `slack.audit` only stream |
+
+No `host` or `service` actor types appear in pipeline tests or `sample_event.json`. When `actor.user.team` is present (mobile file download, self-referential anomaly), it remains vendor-only under `slack.audit.actor.user.team`.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Actor Slack user ID | yes | yes | high | `rename`: `slack.actor.user.id` → `user.id` (`default.yml` L42–44); populated in all fixtures |
+| `user.full_name` | Actor display name | yes | yes | high | `rename`: `slack.actor.user.name` → `user.full_name` (L45–48) |
+| `user.email` | Actor email | yes | yes | high | `rename`: `slack.actor.user.email` → `user.email` (L49–52) |
+| `slack.audit.actor.type` | Actor type discriminator | yes (vendor) | n/a | high | `rename`: `slack.actor` → `slack.audit.actor` (L53–56); always `"user"` in fixtures |
+| `slack.audit.actor.user.team` | Actor workspace team ID | yes (vendor) | n/a | high | Retained after user renames; present in `file_downloaded`, both `anomaly`, and `file_malicious_content_detected` fixtures |
+| `source.ip` / `source.address` | Client/session IP (context) | yes | yes | high | `slack.context.ip_address` → `source.address` → `source.ip` with geo-IP/ASN (L133–136, 209–225) |
+| `user_agent.*` | Client user-agent (context) | yes | yes | high | `slack.context.ua` → `user_agent.original` + `user_agent` processor (L122–127) |
+| `slack.audit.context.session_id` | Authenticated session ID (context) | yes (vendor) | n/a | medium | `slack.context.session_id` rename (L238–245); in file download, anomaly, and malware fixtures |
+| `related.user` | Actor cross-reference | yes | partial | high | Appends actor `user.id` and `user.email` only (L246–255); entity user never appended |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Slack workspace or Enterprise Grid tenant (organizational scope) | Slack workspace / enterprise | service | — | medium | `slack.audit.context.type` (`workspace` or `enterprise`), `context.id`, `context.name`, `context.domain` in every fixture; not mapped to `cloud.service.name` | Scope context — distinct from Layer 2 entity unless `entity_type` is workspace/enterprise |
+| 2 — Resource / object | Native Slack entity acted upon | Slack user | user | — | high | `entity.type: "user"` in `user_login`, `user_created`, both `anomaly` events; flattened to `slack.audit.entity` with `entity_type`, `id`, `name`, `email`, optional `team` | When actor ≠ entity (`user_created`, one `anomaly`), affected user is target only in vendor namespace |
+| 2 — Resource / object | File acted upon | Slack file | general | file | high | `entity.type: "file"` in `file_downloaded`, `file_malicious_content_detected`; `slack.audit.entity.id/name/title/filetype` | Actor is the downloader/uploader; file is the acted-upon object |
+| 2 — Resource / object | Other Slack entity types | Channel, app, workflow, usergroup, barrier, message, role, account_type_role | general | channel, app, workflow, usergroup, barrier, message, role, account_type_role | medium–low | Pipeline rename paths for each `slack.entity.*` → `slack.audit.entity` (L58–115); `fields.yml` documents type-specific attributes; no fixture coverage | Confidence `medium` for channel/app/workflow/usergroup/workspace/enterprise (pipeline + fields); `low` for barrier/message/role/account_type_role |
+| 3 — Content / artifact | File URL, hash, anomaly metadata | File URL / hash / geo string | general | url, file_hash, geo_location | high (file); medium (anomaly) | `uri_parts` on `slack.audit.details.url_private` → `url.*` (`file_downloaded`); `file.hash.md5` + `related.hash` from `details.md5_hash` (malware); `slack.audit.details.location/reason/previous_ip_address/previous_user_agent` (anomaly) | Artifacts enrich Layer 2 targets; not standalone ECS target entities |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `slack.audit.entity.id` | 2 | varies | yes (vendor) | n/a | `user.target.id` / `entity.target.id` / `resource.id` (by `entity_type`) | yes | Canonical target ID; never copied to ECS `*.target.*` |
+| `slack.audit.entity.name` | 2 | varies | yes (vendor) | n/a | `user.target.full_name` / `entity.target.name` | yes | Target display name; vendor-only |
+| `slack.audit.entity.email` | 2 | user | yes (vendor) | n/a | `user.target.email` | yes | Populated when `entity_type: "user"`; e.g. `jbob@example.com` in `user_created` / `anomaly` |
+| `slack.audit.entity.team` | 2 | user | yes (vendor) | n/a | `user.target.*` (custom) | yes | Target user's workspace team; not mapped to ECS |
+| `slack.audit.entity.entity_type` | 2 | varies | yes (vendor) | n/a | — (discriminator) | no | `rename`: `slack.entity.type` → `entity_type` (L118–120) |
+| `slack.audit.entity.filetype` / `.title` | 2 | general (file) | yes (vendor) | n/a | `file.*` / `entity.target.*` | partial | File metadata; partial ECS via `file.hash.md5` only |
+| `file.hash.md5` | 3 | general (file_hash) | yes | partial | context / `file.hash.*` | no | `set` from `slack.audit.details.md5` when `entity_type == "file"` (L171–175); hash of target file, not a target identity field |
+| `url.*` | 3 | general (url) | yes | partial | context-only | no | Parsed from `slack.audit.details.url_private` on file download (L206–208) |
+| `slack.audit.context.id/name/domain/type` | 1 | service | yes (vendor) | n/a | `cloud.account.id` / `service.target.*` / `organization.*` | yes | Organizational scope in every event; not promoted to ECS cloud/service target fields |
+| `cloud.service.name` | 1 | service | no | n/a | `service.target.name` | yes | Not set anywhere in pipeline; static `slack` would identify invoked SaaS platform |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+
+### Gaps and mapping notes
+
+- **`event.action` mapping is correct and complete:** Vendor `action` → `event.action` rename (L28–31) preserves Slack-native operation names on all fixtures. No enhancement needed for the primary action field.
+- **`anomaly` lacks categorization enrichment:** The Painless lookup table (L264–437) has no entry for `action: anomaly`. Fixtures show only default `event.type: [info]` with no `event.category` or `event.outcome`. Enhancement: add `anomaly` → `category: [intrusion_detection]` or `[threat]` (or Slack-appropriate taxonomy) and `type: [info]`.
+- **Actor-only ECS promotion:** Pipeline renames actor user fields to `user.*` but never maps entity user fields to `user.target.*`. When actor ≠ entity (`user_created`, anomaly with different users), only the actor appears in ECS `user.*`; the affected user is vendor-only under `slack.audit.entity.*`.
+- **`related.user` is actor-only:** Append processors (L246–255) add actor `user.id` and `user.email` only. Target user IDs/emails are omitted even when semantically distinct — e.g. `asdfasdf` / `jbob@example.com` missing from `related.user` in `user_created`.
+- **No official ECS target fields:** Aligns with `target_enhancement_packages.csv` row (`slack`, `moderate_candidate`, all `has_*_target` false, `has_vendor_target_fields: true`). Primary enhancement path: map `slack.audit.entity.*` to `user.target.*` (user entities) or `entity.target.*` / `resource.*` (file, channel, app, etc.) based on `entity_type`.
+- **Layer 1 SaaS gap:** No `cloud.provider` or `cloud.service.name` static set despite SaaS audit semantics. `slack.audit.context.*` holds workspace/enterprise scope but is organizational context, not the ECS-modeled invoked service.
+- **Context vs target for workspace/enterprise:** `slack.audit.context` appears in every event as scope. Pipeline also supports `entity_type: workspace` / `enterprise` as Layer 2 targets (rename paths L58–66) but fixtures show workspace/enterprise only as context, not as `entity.type`.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, Slack does not map affected users to `destination.user.*`.
+- **Actor team not in ECS:** `slack.audit.actor.user.team` retained vendor-only; could enrich `user.*` or `organization.id` if desired.
+
+### Per-stream notes
+
+**`slack.audit`:** Sole data stream. All six pipeline test events plus `sample_event.json` confirm `event.action` populated from vendor `action`, user actors, and user/file entity targets. Action semantics: authentication (`user_login`), IAM (`user_created`), file access (`file_downloaded`), anomaly detection (`anomaly`), malware (`file_malicious_content_detected`). Supported but unfixture-covered entity types (channel, app, workflow, usergroup, barrier, message, role, account_type_role) and action types (see categorization script L264–437) inherit confidence from pipeline logic and `fields.yml` definitions only.
+
+## Example Event Graph
+
+Examples below come from the single **`slack.audit`** data stream — true Slack Enterprise Grid audit logs collected via the Audit Logs API.
+
+### Example 1: Enterprise user login
+
+**Stream:** `slack.audit` · **Fixture:** `packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json` (event 1)
+
+For `user_login`, Slack sets `entity` to the same user as `actor` — repeating that as the graph target would read “user logs in to themselves.” The natural reading is: a **user authenticates to the Slack service**; Birdland in `context` is org scope, not the thing being accessed.
+
+```
+Charlie Parker (user) → user_login → Slack (service)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | W123AB456 |
+| name | Charlie Parker |
+| type | user |
+| geo | London, United Kingdom |
+| ip | 81.2.69.143 |
+
+**Field sources:**
+- `id` ← `user.id` ← `slack.actor.user.id`
+- `name` ← `user.full_name` ← `slack.actor.user.name`
+- `type` ← `slack.audit.actor.type`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip` ← `slack.context.ip_address`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | user_login |
+| source_field | `event.action` |
+| source_value | user_login |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Slack |
+| type | service |
+| sub_type | enterprise_grid |
+
+**Field sources:**
+- `name` ← semantic — SaaS platform being authenticated to; **not indexed** in fixture (`cloud.service.name` absent per Pass 2)
+- `type` ← service — authentication target is the application, not the user account
+- `sub_type` ← inferred from `slack.audit.context.type: enterprise` (Enterprise Grid tier)
+
+**Scope context (not target):** login occurred under enterprise org **Birdland** (`slack.audit.context.id: E1701NCCA`, `context.name`, `context.domain: birdland`). Vendor `entity` also self-references Charlie Parker — ignore as target on auth events.
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: Charlie Parker"] --> E["user_login"]
+  E --> T["Target: Slack"]
+```
+
+### Example 2: Admin creates workspace user
+
+**Stream:** `slack.audit` · **Fixture:** `packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json` (event 2)
+
+```
+roy (user) → user_created → Joe Bob (user)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | e65b0f5c |
+| name | roy |
+| type | user |
+| geo | London, United Kingdom |
+| ip | 81.2.69.143 |
+
+**Field sources:**
+- `id` ← `user.id`
+- `name` ← `user.full_name`
+- `type` ← `slack.audit.actor.type`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | user_created |
+| source_field | `event.action` |
+| source_value | user_created |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | asdfasdf |
+| name | Joe Bob |
+| type | user |
+
+**Field sources:**
+- `id` ← `slack.audit.entity.id`
+- `name` ← `slack.audit.entity.name`
+- `type` ← `slack.audit.entity.entity_type`
+- Target identity is vendor-only today — not mapped to ECS `user.target.*`.
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: roy"] --> E["user_created"]
+  E --> T["Target: Joe Bob"]
+```
+
+### Example 3: Mobile file download
+
+**Stream:** `slack.audit` · **Fixture:** `packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json` (event 3)
+
+```
+User McUser (user) → file_downloaded → image.png (file)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 2f52269c-4f38-4f08-b56d-c2b968681dbd |
+| name | User McUser |
+| type | user |
+| geo | London, United Kingdom |
+| ip | 81.2.69.144 |
+
+**Field sources:**
+- `id` ← `user.id`
+- `name` ← `user.full_name`
+- `type` ← `slack.audit.actor.type`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | file_downloaded |
+| source_field | `event.action` |
+| source_value | file_downloaded |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 7edc4c42-f925-47af-979a-22c10e1fefed |
+| name | image.png |
+| type | general |
+| sub_type | file |
+
+**Field sources:**
+- `id` ← `slack.audit.entity.id`
+- `name` ← `slack.audit.entity.name`
+- `type` / `sub_type` ← `slack.audit.entity.entity_type` (`file`)
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: User McUser"] --> E["file_downloaded"]
+  E --> T["Target: image.png"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, `data_stream/audit` with Tier A fixtures). Router: **`data_stream.dataset`** embedded in every `CASE` fallback (queries are unscoped `FROM logs-*`, not filtered by dataset). Single stream **`slack.audit`** (Audit Logs API). Pass 4 is **fill-gaps-only**: detection flags run first for query semantics; target and classification columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` — not `CASE(target_exists, <col>, …)`. **`user.id` / `user.email` are ingest-only** (no query-time `slack.actor.user.*`) — omitted from actor `EVAL` (no `CASE(actor_exists, user.id, user.id, …)` or email equivalent). **`user.name` uses column-level preserve** (`user.name IS NOT NULL`, then `user.full_name`) — not `actor_exists`, because display name indexes as `user.full_name`. Secondary routing on `event.action` and `slack.audit.entity.entity_type` — on `user_login`, map **`service.target.name`** `"Slack"` (Pass 3), not self-referential `slack.audit.entity` user; on other events with `entity_type == "user"`, vendor **`slack.audit.entity.*`** → `user.target.*`.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `slack.audit` | audit | user | user, service, general (file) | full |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | — | — | high | **ingest-only** — pipeline renames `slack.actor.user.id` → `user.id`; no query-time vendor path; **omit from ES\|QL** |
+| `user.name` | `user.full_name` | `user.name IS NOT NULL` → preserve; else `data_stream.dataset == "slack.audit"` | high | Column-level preserve — `actor_exists` must not gate this (identity can be in `user.full_name` while `user.name` is empty) |
+| `user.email` | — | — | high | **ingest-only** — pipeline renames `slack.actor.user.email` → `user.email`; **omit from ES\|QL** |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `"Slack"` | `data_stream.dataset == "slack.audit" AND event.action == "user_login"` | low | **semantic literal**; fallback only when `NOT target_exists` |
+| `user.target.id` | `slack.audit.entity.id` | `data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login"` | high | **vendor fallback**; not on login (actor = entity tautology) |
+| `user.target.name` | `slack.audit.entity.name` | same as `user.target.id` | high | **vendor fallback** |
+| `user.target.email` | `slack.audit.entity.email` | same as `user.target.id` | high | **vendor fallback** |
+| `entity.target.id` | `slack.audit.entity.id` | `data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file"` | high | **vendor fallback** |
+| `entity.target.name` | `slack.audit.entity.name` | `data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file"` | high | **vendor fallback** |
+
+`actor_exists` uses `user.full_name` (not `user.name`) because the package indexes display name as `user.full_name`.
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.full_name IS NOT NULL OR user.email IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` includes `user.full_name` (not `user.name`) because ingest renames `slack.actor.user.name` → `user.full_name` only. Target columns and optional `entity.target.*` helpers use column-level `IS NOT NULL` preserve — `target_exists` is a helper flag only. Actor `EVAL` emits **`user.name` only**, with **`user.name IS NOT NULL`** column-level preserve — never `CASE(actor_exists, user.name, …)` when `user.full_name` may hold the identity.
+
+### Optional classification helpers (when needed)
+
+Set in **fallback** only when `NOT target_exists`:
+
+```esql
+| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "slack.audit" AND event.action == "user_login", "service",
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", "user",
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", "general",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", "file",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "slack.audit", user.full_name,
+    null
+  )
+```
+
+`user.id` and `user.email` are **not** listed here — ingest always sets them from `slack.actor.user.*` (renamed away at index time). A `CASE(actor_exists, user.id, user.id, null)` branch would be a no-op when empty and must not be emitted. Do not gate `user.name` on `actor_exists` when `user.full_name` carries the display name.
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs. With **4** args, the 3rd arg is a **boolean condition**, not a fallback value — `CASE(user.name IS NOT NULL, user.name, user.full_name, null)` would mean “else if `user.full_name` is truthy, return `null`”. For if/else use **3** args (odd count → last arg is default): `CASE(user.name IS NOT NULL, user.name, user.full_name)`.
+
+### Combined ES|QL — event action
+
+Omitted — `event.action` is populated on every fixture via ingest rename `slack.action` → `event.action` (`default.yml` L28–31). No indexed `slack.action` at query time for fallback.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "slack.audit" AND event.action == "user_login", "Slack",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.name,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.email,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", slack.audit.entity.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "file", slack.audit.entity.name,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.full_name IS NOT NULL OR user.email IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "slack.audit", user.full_name, null)
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "slack.audit" AND event.action == "user_login", "Slack",
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "slack.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login", slack.audit.entity.name,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, user.target.id, user.target.name, service.target.name, slack.audit.entity.entity_type
+```
+
+### Streams excluded
+
+*(none — single audit stream only)*
+
+### Gaps and limitations
+
+- **`event.action` fallback** — not needed; ingest always sets `event.action`; `slack.action` is not retained post-rename.
+- **`user.email` tautology** — do not emit `CASE(actor_exists, user.email, user.email, …)`; same rule as `user.id` (ingest-only).
+- **`user.id` / `user.email` ES|QL** — ingest-only (`default.yml` L41–51); do not emit tautological `CASE(actor_exists, user.id, user.id, …)`; no indexed `slack.actor.user.*` at query time after rename.
+- **Channel, app, workflow, usergroup entity types** — pipeline rename paths exist; fixtures cover user/file only; extend `entity.target.*` when Tier A evidence exists.
+- **`slack.audit.context.*`** — workspace/enterprise scope is org context, not `service.target.*` on login.
+- **`user_login_failed`, `user_logout`, session invalidation** — treat like login family: service literal or omit target; never map self-referential `slack.audit.entity` user on auth events.
+- **`cloud.service.name`** — not set at ingest; `"Slack"` literal is query-time semantic only.
diff --git a/dev/domain/p1/snort.md b/dev/domain/p1/snort.md
new file mode 100644
index 00000000000..77456962c78
--- /dev/null
+++ b/dev/domain/p1/snort.md
@@ -0,0 +1,461 @@
+# snort
+
+## Product Domain (Snort IDS/IPS)
+
+Snort is a widely deployed open-source network intrusion detection system (NIDS) and intrusion prevention system (IPS) maintained by Cisco. Deployed passively on mirrored network segments or inline on traffic paths, Snort inspects live packets against signature-based rules, protocol decoders, and preprocessor logic to detect malicious activity, policy violations, and protocol anomalies. In IPS mode it can actively drop or reset malicious sessions; in IDS mode it generates alerts for downstream analysis and incident response.
+
+Snort has a long history as the de facto standard for open-source network IDS, with extensive community and commercial rule sets (including Cisco Talos signatures). Organizations deploy Snort at network perimeters, data-center boundaries, and critical internal segments to gain visibility into north-south and east-west traffic. Snort 3 introduced a modern Lua-based configuration model, multi-threaded packet processing, and structured JSON alert output, while Snort 2.x remains common in legacy and embedded deployments such as pfSense.
+
+Security teams use Snort for real-time threat detection, compliance logging, forensic investigation, and feeding SIEM platforms with normalized network security events. The engine's alert outputs capture rule metadata, classification, priority, and packet-level context—including source/destination endpoints, protocol details, and optional base64-encoded payload data—enabling correlation of alerts with the underlying traffic that triggered them.
+
+## Data Collected (brief)
+
+The integration collects Snort alert logs via Elastic Agent **logfile** or **UDP/syslog** input into a single **log** data stream (`snort.log`). Supported source formats include Snort 3 JSON (`alert_json`), legacy Alert Fast, Alert Full (multiline), pfSense CSV, and syslog-wrapped alerts. Events are parsed into ECS fields (source/destination, network, rule, observer, event) with Snort-specific packet metadata retained under `snort.*` (generator ID, IP/TCP/UDP/ICMP header details). Typical alert content includes rule ID, name, classification, priority/severity, action, protocol, and endpoint addresses/ports.
+
+## Expected Audit Log Entities
+
+The single **log** data stream ingests Snort IDS/IPS alert telemetry — network security events, not identity-centric audit logs. All supported formats (JSON, Alert Fast, Alert Full, CSV, pfSense CSV, syslog-wrapped) produce `event.kind: alert` with `event.category: network`. There are no separate metrics or inventory streams.
+
+Actor and target are inferred from the packet 5-tuple (`src_addr`/`dst_addr` or legacy `->` notation → `source.*`/`destination.*`), well-known ports, `network.direction`, and rule metadata. There is no authenticated user principal. ECS `*.target.*` fields are **not populated** (no row in `target_fields_audit.csv`). `destination.user.*` / `destination.host.*` are **not used** (absent from `destination_identity_hits.csv`). `target_enhancement_packages.csv` classifies snort as **moderate_candidate_network_dest** with `pipeline_dest_network: true` but no Tier-A ECS target mapping.
+
+**`event.action` is absent from all fixtures and pipelines.** Snort's richest action signals — IPS disposition (`json.action`: `allow`/`block`), rule signature message (`json.msg` → `rule.description`), and pfSense CSV disposition (`Allow`) — are mapped to `event.type` or discarded with `_tmp` cleanup instead. See Event action sections below.
+
+| Stream / format | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **log** — Snort 3 JSON | no | no | `json.action` (`allow`/`block`) | high | Renamed to `_tmp.action` (`json.yml` L199–202); `event.type: ["allowed"]` when `allow` (`default.yml` L158–167); `"action":"allow"` in `test-log-json.log-expected.json` originals |
+| **log** — Snort 3 JSON (detection) | no | no | `rule.description` ← `json.msg` | high | `"ICMP Traffic Detected"`, `"(http_inspect) gzip decompression failed"`, `"(icmp4) ICMP ping Nmap"` in JSON fixtures (`json.yml` L62–65) |
+| **log** — pfSense CSV | no | no | `_tmp.action` (CSV last field: `Allow`) | high | Grok captures disposition (`plaintext.yml` L11); `event.type: ["allowed"]` in `test-log-pfsense.log-expected.json` |
+| **log** — Alert Fast / Alert Full / default CSV / syslog | no | no | `rule.description` ← grok `msg` | high | Signature text only — no IPS disposition field (e.g. `"Pinging..."` in `sample_event.json`; `"ET SCAN Sipvicious User-Agent Detected"` in pfSense original) |
+| **log** — all formats (fallback) | no | no | `rule.id` ← `sid` | partial | Numeric signature ID when message absent; less human-readable |
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| IDS/IPS rule triggered (signature match) | detection | high | `rule.description`, `rule.id`, `rule.category` on every alert (e.g. `"Pinging..."` sid `1000015` in `sample_event.json`; `"Attempted Administrator Privilege Gain"` WriteAndX in `test-log-json.log-expected.json`) | All formats — primary security "what happened" |
+| IPS traffic allowed (passive/IDS) | detection | high | Vendor `json.action: allow` or pfSense `Allow` → `event.type: ["allowed"]` | JSON and pfSense CSV only |
+| IPS traffic blocked/denied | detection | high | Vendor `json.action: block` → `event.type: ["denied"]` | JSON only — no `block` fixture; pipeline L164–167 in `default.yml` |
+| Network scan / reconnaissance detected | detection | high | Rule text + category (e.g. `"Detection of a Network Scan"` UPnP in `test-log-fast.log-expected.json`; `"ET SCAN Sipvicious User-Agent Detected"` in pfSense original) | Alert Fast / pfSense |
+| Protocol anomaly / preprocessor alert | detection | medium | Preprocessor gid + msg (e.g. gid `119` `"(http_inspect) gzip decompression failed"` in `test-log-json.log-expected.json`; gid `116` ICMP Nmap ping) | JSON primarily |
+| Same-src/dst traffic anomaly | detection | medium | `"BAD-TRAFFIC same SRC/DST"` rule in `test-log-pfsense.log-expected.json` / `test-log-fast.log-expected.json` | pfSense / Alert Fast |
+
+Plaintext Alert Fast, Alert Full, default CSV, and syslog formats carry **no IPS disposition field** — only signature metadata describes the action.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | — | Absent from `sample_event.json` and all `*-expected.json` |
+| `json.action` (vendor, removed post-pipeline) | no (→ `event.type`) | partial | `allow`, `block` | yes | `json.yml` L199–202 → `_tmp.action`; `default.yml` L158–167 appends `allowed`/`denied` to `event.type`; `_tmp` removed L230–235 |
+| `_tmp.action` (pfSense CSV grok) | no (→ `event.type`) | partial | `Allow` (normalize to `allow`) | yes | `plaintext.yml` L11; `event.type: ["allowed"]` in `test-log-pfsense.log-expected.json` |
+| `rule.description` | no | n/a | `"Pinging..."`, `"ICMP Traffic Detected"`, `"(http_inspect) gzip decompression failed"`, `"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 95"` | yes | `json.msg` / grok `msg` → `rule.description` (`json.yml` L62–65; `plaintext.yml` L21–22); all fixtures |
+| `rule.id` | no | n/a | `"1000015"`, `"10000001"`, `"2403488"` | partial (alternate) | `sid` → `rule.id` (`json.yml` L72–76); numeric; pair with `rule.description` for readability |
+| `rule.category` | no | n/a | `"Misc activity"`, `"Attempted Administrator Privilege Gain"`, `"Misc Attack"` | partial (alternate) | Classification string — broader than per-signature action (`json.yml` L56–60) |
+| `event.type` / `event.category` | n/a (wrong ECS field for verb) | partial | `allowed`, `denied`; category `network` | no (keep as type/category) | Currently absorbs IPS disposition that belongs in `event.action` per ECS Event field-set |
+| `event.kind` | n/a | n/a | `alert` | no | Static set (`default.yml` L113–116); event class, not verb |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Flow / alert origin (default) | host | — | high | `source.ip`, `source.port`, `source.address`; packet origin in every fixture (e.g. `10.50.10.88 → 175.16.199.1` ICMP in `sample_event.json`; `10.100.20.59:57263 → 10.100.10.190:22` TCP in `test-log-csv.log-expected.json`) | All formats |
+| Outbound client / scan origin | host | — | high | Internal host with ephemeral source port toward external or service port; `network.direction: outbound` (e.g. `192.168.88.10:1029 → 175.16.199.1:53` DNS query in `test-log-fast.log-expected.json`; `192.168.15.10:1035 → 175.16.199.1:1900` UPnP scan in same fixture) | Alert Fast / JSON |
+| Inbound attack / external origin | host | — | high | External `source.ip` with service port toward internal `destination.*`; `network.direction: inbound` (e.g. `89.160.20.114:80 → 192.168.3.35:1047` HTTP in `test-log-json.log-expected.json`; `175.16.199.1:80 → 192.168.115.10:1051` in `test-log-fast.log-expected.json`) | Alert Fast / JSON |
+| Lateral / internal attack | host | — | high | Both RFC1918 endpoints; `network.direction: internal` (e.g. `10.11.21.101:50084 → 10.11.21.11:445` WriteAndX attempt in `test-log-json.log-expected.json`; `192.168.202.110 → 192.168.27.27` Nmap ICMP ping in same fixture) | JSON / Alert Fast |
+| DNS responder / server-side flow | host or service | — | medium | DNS server appears as `source.*` with `source.port: 53` (e.g. `10.100.10.1:53 → 10.100.10.190:36635` in `test-log-full.log-expected.json`; `175.16.199.1:53 → 10.100.10.190:54757` inbound DNS in `test-log-fast.log-expected.json`) | When responder is source side |
+| Layer-2 origin | host | — | medium | `source.mac` when present (e.g. `52-54-00-70-78-9F` in `test-log-json.log-expected.json`; `00-25-90-3A-05-13` in `test-log-csv.log-expected.json`) | JSON / CSV formats |
+| Geo-enriched external endpoint | host | — | medium | `source.geo.*`, `source.as.*` on public IPs (e.g. `89.160.20.114` Sweden/Bredband2 in `test-log-json.log-expected.json`; `175.16.199.1` China in `test-log-fast.log-expected.json`) | Optional geoip enrichment |
+| Snort sensor / syslog wrapper | — | — | high | Not the actor — `observer.name` (`dev`), `process.name` (`snort`) from syslog prefix in `test-log-syslog.log-expected.json` and `sample_event.json`; static `observer.vendor`/`observer.product`/`observer.type` in `default.yml` | Syslog-wrapped alerts |
+
+No **user** actor is populated in fixtures; `user.name` / `user.id` are absent from all pipeline expected output.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.ip` | Flow/alert origin host | yes | yes | high | `json.src_addr` / grok `source.address` → `source.ip` (`json.yml` L35–37; `plaintext.yml` L21–24; `default.yml` L72–76; all fixtures) |
+| `source.port` | Flow/alert origin port | yes | yes | high | `json.src_port` / grok → `source.port` (`json.yml` L17–22; `plaintext.yml` CSV/FAST patterns) |
+| `source.address` | Pre-conversion address string | yes | yes | high | Intermediate field before IP conversion (`default.yml` L72–76) |
+| `source.mac` | L2 origin | yes | yes | high | `json.eth_src` / CSV MAC grok → normalized `source.mac` (`json.yml` L44–47; `default.yml` L87–101; JSON/CSV fixtures) |
+| `source.geo.*`, `source.as.*` | Enriched origin | yes | yes | medium | geoip on `source.ip` (`default.yml` L169–207; inbound attack fixture with `89.160.20.114`) |
+| `snort.gid` | Rule generator ID | yes (vendor) | n/a | low | `json.gid` / grok → `snort.gid` (`json.yml` L78–83; `plaintext.yml` L21); rule metadata, not traffic actor |
+| `snort.tcp.*`, `snort.udp.*`, `snort.icmp.*`, `snort.ip.*` | Packet header context | yes (vendor) | n/a | high | Protocol-specific fields from JSON or Alert Full grok (`json.yml` L84–159; `plaintext.yml` L13–17); packet metadata, not entity identity |
+| `observer.name`, `observer.product`, `observer.vendor`, `observer.type` | Sensor identity | yes | n/a | high | Static sets in `default.yml` L14–25; syslog `OBSERVER` grok for `observer.name` (`plaintext.yml` L30); identifies IDS sensor, not traffic actor |
+| `observer.ingress.interface.name` | Capture interface | yes | n/a | medium | `json.iface` → `observer.ingress.interface.name` (`json.yml` L203–207; JSON fixtures) |
+| `process.name` | Syslog program name | yes | n/a | high | Syslog grok `SYSLOGPROG` (`plaintext.yml` L32); wrapper metadata, not actor |
+| `related.ip` | Correlation | yes | yes | high | Appends `source.ip` and `destination.ip` (`default.yml` L218–229) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Network protocol / service | Application protocol or well-known service on destination port | SSH, DNS, HTTP, SMB, DHCP, … | service | — | high | `network.protocol` from `json.service` (`json.yml` L178–183; e.g. `netbios-ssn` on `:445`, `http` on inbound alert); `destination.port` — `:22` SSH in `test-log-csv.log-expected.json`, `:53` DNS in `test-log-fast.log-expected.json`, `:445` SMB in `test-log-json.log-expected.json` | JSON sets `network.protocol`; plaintext formats rely on port + `network.transport` |
+| 2 — Host / endpoint | IP/MAC peer receiving or serving traffic | Internal victim, external server, resolver, broadcast | host | — | high | `destination.ip`, `destination.port`, `destination.mac` ← `dst_addr`/grok (`json.yml` L23–42; `plaintext.yml` L21–24); e.g. victim `192.168.3.35` on inbound HTTP alert, `10.11.21.11:445` on lateral SMB, `255.255.255.255:68` DHCP broadcast | Default for all alert formats |
+| 2 — Rule-implied asset class | Signature classification describing attacked asset type | Windows endpoint, server | general | windows-endpoint, server | medium | `rule.category` + `rule.description` hint at asset type but do not replace IP/port (e.g. `Attempted Administrator Privilege Gain` / WriteAndX to `:445` in `test-log-json.log-expected.json`; `Detection of a Network Scan` UPnP rule in `test-log-fast.log-expected.json`) | Alert metadata only |
+| 3 — Detection rule / payload | Triggered signature and optional packet payload | Snort rule, base64 payload | general | ids_rule, packet_payload | medium | `rule.id`, `rule.description`, `rule.category`, `rule.version` ← `sid`/`msg`/`class` (`json.yml` L56–77; grok in `plaintext.yml`); `json.b64_data` stripped at ingest (`json.yml` L8–11) — payload not retained in ECS output | Layer 3 content largely absent post-pipeline |
+
+**Same src/dst anomaly:** actor and target collapse to the same IP when both sides match (e.g. `175.16.199.1 → 175.16.199.1` ICMP and pfSense `BAD-TRAFFIC same SRC/DST` in `test-log-fast.log-expected.json` / `test-log-pfsense.log-expected.json`).
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `destination.ip` | 2 | host | yes | yes | context-only (network peer) | yes → `host.target.ip` | `json.dst_addr` / grok → `destination.ip` (`json.yml` L29–33; `default.yml` L77–82); victim/server peer on alerts |
+| `destination.port` | 1/2 | service/host | yes | yes | context-only | partial → `host.target.port` | `json.dst_port` / grok → `destination.port`; well-known ports imply service layer (`:22`, `:53`, `:445`, `:80`) |
+| `destination.address` | 2 | host | yes | yes | context-only | yes → `host.target.ip` | Pre-conversion address string (`default.yml` L77–82) |
+| `destination.mac` | 2 | host | yes | yes | context-only | yes → `host.target.mac` | `json.eth_dst` / CSV MAC grok → normalized `destination.mac` (JSON/CSV fixtures) |
+| `destination.geo.*`, `destination.as.*` | 2 | host | yes | yes | context-only | no | geoip on `destination.ip` (`default.yml` L174–217; `sample_event.json`) |
+| `network.protocol` | 1 | service | yes | yes | context-only | partial → `service.target.name` | `json.service` when not `unknown` (`json.yml` L178–183; e.g. `netbios-ssn`, `http`) |
+| `network.transport` | 1 | service | yes | yes | context-only | no | `json.proto` / grok `{TCP\|UDP\|ICMP}` (`json.yml` L173–177; all fixtures) |
+| `network.direction` | — | — | yes | yes | context-only | no | `network_direction` processor on internal networks (`default.yml` L151–153); aids actor/target role inference |
+| `rule.id`, `rule.description`, `rule.category`, `rule.version` | 3 | general | yes | yes | context-only | no | Signature metadata from JSON/grok (`json.yml` L56–77; `plaintext.yml` L21–29) |
+| `snort.gid` | 3 | general | yes (vendor) | n/a | context-only | no | Generator ID — identifies rule subsystem, not target entity (`json.yml` L78–83) |
+| `snort.tcp.*`, `snort.icmp.*`, `snort.udp.*`, `snort.ip.*`, `snort.eth.length` | — | — | yes (vendor) | n/a | — | no | Packet header details; forensic context, not entity target |
+| `event.severity` | 3 | general | yes | yes | context-only | no | `json.priority` / grok Priority (`json.yml` L192–197; all formats) |
+
+### Gaps and mapping notes
+
+- **`event.action` not mapped** — vendor `json.action` (`allow`/`block`) and pfSense CSV disposition (`Allow`) are consumed only to set `event.type` (`allowed`/`denied`) then discarded with `_tmp` cleanup; signature text in `rule.description` is the de-facto action label but also not copied to `event.action`. Recommended primary mapping: `json.action` / pfSense disposition for IPS mode; `rule.description` for IDS-only plaintext formats.
+- **No ECS `*.target.*` fields** — victim/server endpoints live under `destination.*` as network flow peers; `target_enhancement_packages.csv` flags snort as **moderate_candidate_network_dest** for potential `host.target.ip` / port migration on alert victims.
+- **`destination.*` is network context, not de-facto user/host audit target** — unlike firewall auth or email integrations, Snort never maps login-target or recipient identity to `destination.user.*`; all destination fields are 5-tuple peers from packet headers.
+- **No user identity anywhere** — `user.*`, `destination.user.*`, and `related.user` are absent from pipelines, fields.yml, and all fixtures; Snort alerts carry no authenticated principal.
+- **`json.b64_data` stripped at ingest** — base64 packet payload is removed (`json.yml` L8–11) and not available as a Layer 3 content target in ECS output; only `event.original` retains the raw log.
+- **`observer.*` / `process.name`** identify the Snort sensor or syslog wrapper, not the traffic actor or target.
+- **`snort.gid`** (generator ID) distinguishes which Snort subsystem fired the rule (e.g. gid 1 = rule engine, gid 119 = http_inspect) — rule metadata, not actor/target entity.
+- **DNS direction** — query events treat resolver as `destination.*:53`; answer/responder events may reverse roles with `source.port: 53`; actor/target follow packet direction, not semantic client/server labels.
+- **Plaintext formats lack `network.protocol` and IPS disposition** — Alert Fast, Alert Full, CSV, and syslog formats populate `network.transport` but not `network.protocol` or `json.action`; service inference relies on `destination.port` and rule description.
+
+### Per-stream notes
+
+All formats share the single **log** data stream and `default.yml` pipeline, branching to `json.yml` (JSON starting with `{`) or `plaintext.yml` (Alert Fast, Alert Full, CSV, pfSense CSV, syslog). **JSON** (`alert_json`) provides the richest vendor namespace (`snort.tcp.*`, `snort.icmp.*`, `network.protocol`, `observer.ingress.interface.name`, MAC addresses) and the only IPS disposition field (`json.action` → `event.type`). **Alert Full** adds multiline packet header details under `snort.*`. **CSV/pfSense** formats include MAC, extended TCP/IP fields, and pfSense-specific disposition (`Allow`). **Syslog-wrapped** alerts add `observer.name` and `process.name` from the syslog prefix. Action semantics: JSON/pfSense carry IPS allow/block; all other plaintext formats rely solely on `rule.description` for the detection verb.
+
+## Example Event Graph
+
+These examples come from the single **log** data stream (`snort.log`). Snort alerts are network IDS/IPS telemetry — audit-adjacent security events inferred from packet 5-tuples and rule metadata, not identity-centric audit logs. `event.action` is absent from all fixtures; action labels below are derived from `rule.description` (signature text).
+
+### Example 1: Outbound ICMP ping detection (syslog Alert Fast)
+
+**Stream:** `snort.log` · **Fixture:** `packages/snort/data_stream/log/sample_event.json`
+
+```
+Host 10.50.10.88 → Pinging... → Host 175.16.199.1
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 10.50.10.88 |
+| type | host |
+| ip | 10.50.10.88 |
+
+**Field sources:**
+- `id ← source.ip`
+- `ip ← source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Pinging... |
+| source_field | `rule.description` |
+| source_value | `Pinging...` |
+
+Not mapped to ECS `event.action` today — signature message from grok `msg` in Alert Fast format.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 175.16.199.1 |
+| type | host |
+| geo | Changchun, China |
+| ip | 175.16.199.1 |
+
+**Field sources:**
+- `id ← destination.ip`
+- `geo ← destination.geo.city_name, destination.geo.country_name`
+- `ip ← destination.ip`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 10.50.10.88"] --> E["Pinging..."]
+  E --> T["Target: 175.16.199.1"]
+```
+
+### Example 2: Lateral SMB WriteAndX privilege-gain attempt (Snort 3 JSON)
+
+**Stream:** `snort.log` · **Fixture:** `packages/snort/data_stream/log/_dev/test/pipeline/test-log-json.log-expected.json`
+
+```
+Host 10.11.21.101 → OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt → SMB service 10.11.21.11:445
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 10.11.21.101 |
+| type | host |
+| ip | 10.11.21.101 |
+
+**Field sources:**
+- `id ← source.ip`
+- `ip ← source.ip`, `source.port` (50084)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt |
+| source_field | `rule.description` |
+| source_value | `OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt` |
+
+Not mapped to ECS `event.action` today. IPS disposition `allow` from vendor `json.action` is mapped to `event.type: ["allowed"]` instead.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 10.11.21.11:445 |
+| type | service |
+| sub_type | netbios-ssn |
+| ip | 10.11.21.11 |
+
+**Field sources:**
+- `id ← destination.ip, destination.port`
+- `sub_type ← network.protocol`
+- `ip ← destination.ip`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 10.11.21.101"] --> E["WriteAndX attempt"]
+  E --> T["Target: 10.11.21.11:445 (SMB)"]
+```
+
+### Example 3: Inbound HTTP preprocessor alert (Snort 3 JSON)
+
+**Stream:** `snort.log` · **Fixture:** `packages/snort/data_stream/log/_dev/test/pipeline/test-log-json.log-expected.json`
+
+```
+Host 89.160.20.114 → (http_inspect) gzip decompression failed → HTTP service 192.168.3.35:1047
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 89.160.20.114 |
+| type | host |
+| geo | Linköping, Sweden |
+| ip | 89.160.20.114 |
+
+**Field sources:**
+- `id ← source.ip`
+- `geo ← source.geo.city_name, source.geo.country_name`
+- `ip ← source.ip`, `source.port` (80)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | (http_inspect) gzip decompression failed |
+| source_field | `rule.description` |
+| source_value | `(http_inspect) gzip decompression failed` |
+
+Not mapped to ECS `event.action` today. Preprocessor alert from `snort.gid` 119 (http_inspect); vendor `json.action: allow` → `event.type: ["allowed"]`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 192.168.3.35:1047 |
+| type | service |
+| sub_type | http |
+| ip | 192.168.3.35 |
+
+**Field sources:**
+- `id ← destination.ip, destination.port`
+- `sub_type ← network.protocol`
+- `ip ← destination.ip`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 89.160.20.114 (SE)"] --> E["gzip decompression failed"]
+  E --> T["Target: 192.168.3.35:1047 (HTTP)"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `snort`, single `log` data stream per `manifest.yml`). Router: **`data_stream.dataset == "snort.log"`** for all formats (Snort 3 JSON, Alert Fast/Full, CSV, pfSense CSV, syslog-wrapped). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`), not `CASE(actor_exists, <col>, …)` — a populated `entity.target.name` must not block `host.target.ip` from `destination.ip` (Pass 4 §10). Ingest does not populate `host.*`, ECS `*.target.*`, or `event.action` today — fallbacks promote **`source.*`** / **`destination.*`** (5-tuple peers) to `host.*` / `host.target.*`, **`network.protocol`** to `service.target.name` (JSON), and **`rule.description`** to `event.action` and Layer 3 `entity.target.name`. No authenticated user principal in any fixture.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `snort.log` | IDS/IPS alerts (all formats) | host | host, service, general (signature) | full |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.ip` | `source.ip` | `data_stream.dataset == "snort.log" AND source.ip IS NOT NULL` | high | **column-level preserve** (`host.ip IS NOT NULL`); **vendor fallback** — flow origin (all fixtures) |
+| `host.ip` | `source.address` | `data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.address IS NOT NULL` | high | **vendor fallback** — pre-conversion address |
+| `host.id` | `source.ip` | `data_stream.dataset == "snort.log" AND source.ip IS NOT NULL` | high | **column-level preserve** (`host.id IS NOT NULL`); **vendor fallback** — Pass 3 actor `id` = source endpoint |
+| `host.id` | `source.mac` | `data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.mac IS NOT NULL` | medium | **vendor fallback** — L2-only origin (`test-log-json.log-expected.json`) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "snort.log" AND destination.ip IS NOT NULL` | high | **column-level preserve** (`host.target.ip IS NOT NULL`); **de-facto destination.*** — session peer / victim |
+| `host.target.ip` | `destination.address` | `data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.address IS NOT NULL` | high | **de-facto destination.*** — pre-conversion |
+| `host.target.ip` | `destination.mac` | `data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.mac IS NOT NULL` | medium | **de-facto destination.*** — wireless peer MAC |
+| `service.target.name` | `network.protocol` | `data_stream.dataset == "snort.log" AND network.protocol IS NOT NULL AND network.protocol != "unknown"` | high | **column-level preserve** (`service.target.name IS NOT NULL`); **vendor fallback** — JSON service layer (e.g. `netbios-ssn`, `http`) |
+| `entity.target.name` | `rule.description` | `data_stream.dataset == "snort.log" AND rule.description IS NOT NULL` | high | **column-level preserve** (`entity.target.name IS NOT NULL`); **vendor fallback** — Layer 3 Snort signature artifact (Pass 2) |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `rule.description` | `data_stream.dataset == "snort.log" AND rule.description IS NOT NULL` | high | **column-level preserve** (`event.action IS NOT NULL`); **vendor fallback** — signature message (`json.msg` / grok `msg`; all formats); absent in fixtures today |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` omits `user.*` and `service.*` — no user principal and no service actor in Snort fixtures. `target_exists` checks official `*.target.*` columns only (ingest does not populate them today). **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so one populated sibling column does not block fallbacks on empty columns (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "snort.log" AND source.ip IS NOT NULL, source.ip,
+    data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.id = CASE(
+    host.id IS NOT NULL, host.id,
+    data_stream.dataset == "snort.log" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.mac IS NOT NULL, source.mac,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL, rule.description,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "snort.log" AND destination.ip IS NOT NULL, destination.ip,
+    data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.address IS NOT NULL, destination.address,
+    data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.mac IS NOT NULL, destination.mac,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "snort.log" AND network.protocol IS NOT NULL AND network.protocol != "unknown", network.protocol,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL, rule.description,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = host.target.ip IS NOT NULL OR service.target.name IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "snort.log" AND source.ip IS NOT NULL, source.ip,
+    data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.id = CASE(
+    host.id IS NOT NULL, host.id,
+    data_stream.dataset == "snort.log" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    data_stream.dataset == "snort.log" AND source.ip IS NULL AND source.mac IS NOT NULL, source.mac,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL, rule.description,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "snort.log" AND destination.ip IS NOT NULL, destination.ip,
+    data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.address IS NOT NULL, destination.address,
+    data_stream.dataset == "snort.log" AND destination.ip IS NULL AND destination.mac IS NOT NULL, destination.mac,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "snort.log" AND network.protocol IS NOT NULL AND network.protocol != "unknown", network.protocol,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "snort.log" AND rule.description IS NOT NULL, rule.description,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.kind, event.action, host.ip, host.id, host.target.ip, service.target.name, entity.target.name, rule.id, network.direction
+```
+
+### Streams excluded
+
+*(none — single `log` stream; all formats share `snort.log` and 5-tuple extraction)*
+
+### Gaps and limitations
+
+- **No user identity** — `user.*`, `destination.user.*` absent from pipelines and fixtures; columns intentionally omitted.
+- **IPS disposition not in `event.action` fallback** — vendor `json.action` / pfSense CSV disposition map to `event.type` (`allowed`/`denied`) at ingest and are removed with `_tmp`; `MV_FIRST(event.type)` is a poor verb substitute — prefer ingest mapping to `event.action`.
+- **Plaintext formats lack `network.protocol`** — Alert Fast/Full, CSV, syslog; `service.target.name` fallback omitted when field absent (port-based service inference not wired).
+- **`host.target.port`** — `destination.port` indexed but not promoted (not in mandatory Pass 4 column set); enhancement candidate per Pass 2.
+- **Same src/dst anomaly** — actor and target can share the same IP (`test-log-fast.log-expected.json`, pfSense `BAD-TRAFFIC`); no ES|QL guard without extra fields.
+- **`json.b64_data` stripped** — packet payload unavailable at query time (`json.yml` L8–11).
+- **`observer.*` / `process.name`** — Snort sensor / syslog wrapper, not traffic actor or target.
+- **`entity.target.type` / `entity.target.sub_type`** — omitted; `network.protocol` covers service sub-type where present; never emit `target.entity.type`.
+- **Pass 2 enhancement alignment** — ingest-time `event.action` ← `json.action` / pfSense disposition and `host.target.*` ← `destination.*` remain preferred; Pass 4 fills gaps without overwriting populated values.
+- **Column-level preserve (§10)** — `actor_exists` / `target_exists` / `action_exists` are query-time helpers only; mapped columns use `<col> IS NOT NULL` as the first `CASE` branch so `entity.target.name` from `rule.description` does not block `host.target.ip` ← `destination.ip`. No `CASE(col, col, …)` fallback branches — `host.*` / `*.target.*` are not ingest-populated today; only vendor/ECS peer fields appear in fallbacks.
+- **Pass 4 CASE syntax** — all `CASE` use odd-arity defaults (`null`) or paired `(boolean, value)` branches only; column-level **3-arg** / **5-arg** / **7-arg** / **9-arg** preserve (`<col> IS NOT NULL`, not `CASE(actor_exists, <col>, …)` or `CASE(target_exists, <col>, …)`). Never **4-arg** `CASE(flag, col, bare_field, null)` (bare field parses as a condition). Full pipeline fragment aligned with combined `EVAL` blocks (multi-fallback chains + `network.protocol != "unknown"`).
diff --git a/dev/domain/p1/snyk.md b/dev/domain/p1/snyk.md
new file mode 100644
index 00000000000..69e65c20f07
--- /dev/null
+++ b/dev/domain/p1/snyk.md
@@ -0,0 +1,520 @@
+# snyk
+
+## Product Domain
+
+Snyk is a developer security platform that helps organizations find and fix vulnerabilities and misconfigurations across the software development lifecycle. Rather than treating security as a separate gate at deployment, Snyk integrates into developer workflows—IDEs, CI/CD pipelines, source control, and container registries—so teams can identify and remediate risk in code, open-source dependencies, container images, infrastructure as code (IaC), and cloud environments before software reaches production.
+
+The platform is organized around groups, organizations, and projects. A project typically maps to a repository, application, or scan target (for example, a GitHub repo or a container image) and carries metadata such as origin, target file, branch reference, lifecycle stage, business criticality, and remediation settings. Snyk continuously tests these targets and surfaces findings as issues—package vulnerabilities, license violations, code flaws, cloud misconfigurations, and custom policy violations—each with severity, status, risk score, and fix guidance.
+
+From a security and governance perspective, Snyk records administrative and operational activity in audit logs. These events capture changes to users, permissions, groups, API access, project configuration, and issue lifecycle actions (such as creation, ignore, or resolution). Security and AppSec teams use Snyk to prioritize vulnerabilities by effective severity and risk score, track open versus resolved issues across the estate, and maintain an audit trail of platform activity for compliance and incident investigation.
+
+The Elastic Snyk integration polls the Snyk REST API (v2024-04-29) via Elastic Agent CEL input, supporting API token or OAuth2 authentication. It ingests audit logs and vulnerability issues, normalizes them into ECS-aligned fields (including `vulnerability.*` for issue events), and optionally maintains a `latest_issues` transform destination for current-state issue tracking.
+
+## Data Collected (brief)
+
+- **Audit logs** (`snyk.audit_logs`): Platform activity from Snyk organization or group audit APIs, including event type (`event.action`), organization and project IDs, user ID, and change content (before/after values). Configurable filters for user, event type, and project.
+- **Issues** (`snyk.issues`): Vulnerability and policy findings for organizations or groups, including issue ID, title, type (package vulnerability, license, code, cloud, config, custom), status (open/resolved), effective severity, risk score, CVE/Snyk problem IDs, dependency coordinates, fixability flags, reachability, and related scan item (project) metadata such as origin, target file, branch, tags, and remediation settings.
+- **Latest issues transform** (`snyk.latest_issues`): Derived current-state view of issues from the issues data stream for easier filtering and dashboards.
+
+## Expected Audit Log Entities
+
+The integration has one true audit stream — **`snyk.audit_logs`** — polling Snyk organization/group audit APIs (REST v2024-04-29). **`snyk.issues`** is audit-adjacent vulnerability state (`event.kind: alert`), not user-activity audit. **`snyk.latest_issues`** is a derived transform over issues; it carries no actor/target audit semantics.
+
+Snyk audit events expose a top-level `user_id` (acting user), scope IDs (`org_id`, optional `group_id`, optional `project_id`), and event-specific payloads in flattened `snyk.audit_logs.content.*`. There is no native `actor`/`entity` envelope like Slack or GitLab.
+
+No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated (`target_fields_audit.csv` has no `snyk` row). The package does not use `destination.user.*` or `destination.host.*` de-facto target fields (`destination_identity_hits.csv` has no `snyk` row). Target identity lives under `snyk.audit_logs.content.*`, top-level `snyk.audit_logs.project_id`, and (for issues) `snyk.issues.relationships.*`.
+
+**`event.action` is populated on `snyk.audit_logs`** — pipeline renames vendor `event` → `event.action` (e.g. `org.edit`, `org.user.invite`, `org.project.issue.create`). All 21 pipeline test fixtures and `sample_event.json` carry it. Pipeline also derives `event.type` and `event.category` from `event.action` via regex (L72–110). A secondary human-readable sub-action lives in `snyk.audit_logs.content.action` (e.g. `Returned from analysis`, `Cloned repo: …`) but is **not** mapped to ECS. **`snyk.issues`** and **`snyk.latest_issues`** have no `event.action`; findings are state snapshots, not auditable operations.
+
+### Event action (semantic)
+
+Snyk audit API events use dot-separated operation names as the primary action identifier. The pipeline maps these directly to `event.action`.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `org.edit` | configuration_change | high | `test-snyk-audit.json-expected.json`: org rename (`before`/`after.name`) | Organization metadata change |
+| `org.user.invite` | administration | high | Fixture: invitee `content.email`, inviter `user_id` | IAM — user invitation |
+| `org.user.invite_link.create` | administration | high | Fixture: `content.url` → `url.*` | IAM — open invite link creation |
+| `org.user.add` | administration | high | Fixture: `content.userPublicId`, `content.role: ADMIN` | IAM — user added to org |
+| `org.user.invite_link.accept` | administration | high | Fixture: invitee `content.email`, `content.invitingUserId` | IAM — invite link accepted |
+| `org.integration.settings.edit` | configuration_change | high | Fixture: `content.before`/`after` integration settings | Org integration configuration |
+| `org.sast_settings.edit` | configuration_change | high | Fixture: SAST settings diff | Org SAST configuration |
+| `org.target.create` | administration | high | Fixture: `content.targetId` | SCM/container target registration |
+| `org.project.add` | administration | high | Fixture: project creation with `project_id` | Project lifecycle |
+| `org.project.edit` | configuration_change | high | Fixture: `content.snapshotId` | Project metadata change |
+| `org.project.monitor` | data_access | high | Fixture: `content.origin: github`, `content.target` repo metadata | Continuous monitoring enabled |
+| `org.project.test` | data_access | high | Fixture: `content.origin: cli` | Manual/on-demand project test |
+| `org.project.files.create` | data_access | high | Fixture: `content.action: Cloned repo: …` | Background file import (no `user_id`) |
+| `org.project.files.edit` | configuration_change | high | Fixture: `content.action: Modify files - exclude` | Project file-exclusion settings |
+| `org.project.files.access` | data_access | high | Fixture: `content.action: Retrieve files` | File retrieval during import |
+| `org.project.file.access` | data_access | high | Fixture: single-file access event | File-level access |
+| `org.project.issue.create` | detection | high | `sample_event.json`: `content.action: Returned from analysis` | Automated issue analysis completion |
+| `org.project.issue.edit` | configuration_change | high | Fixture: `content.issues` count | Bulk issue state change |
+| `org.project.issue.access` | data_access | high | Fixture: issue snapshot access | Issue data read |
+| `group.service_account.create` | administration | high | Fixture: `content.serviceAccountPublicId`, role permissions | Group-scoped service account creation |
+| `Returned from analysis` / `Cloned repo: …` / `Modify files - exclude` / `Retrieve files` | operational_detail | high | `snyk.audit_logs.content.action` in file/issue fixtures | Sub-action detail within parent `event.action`; vendor-only |
+| Issue finding state (`open`, `resolved`) | detection | moderate | `snyk.issues.attributes.status` in issues fixtures | **`snyk.issues`** — finding lifecycle state, not audit verb; no `event.action` |
+| Issue type (`package_vulnerability`, etc.) | detection | moderate | `snyk.issues.attributes.type` in issues fixtures | **`snyk.issues`** — finding category dimension, not operation name |
+
+**`snyk.issues` / `snyk.latest_issues`:** No meaningful per-event action. These streams poll current issue records (`event.kind: alert`); they describe vulnerability findings, not who performed what operation. If `event.action` were needed for SIEM filtering, `snyk.issues.attributes.status` or `data_stream.dataset` would be weak substitutes — neither represents an auditable verb.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `snyk.audit_logs.event` | yes (renamed) | yes | `org.edit`, `org.user.invite`, `org.project.issue.create`, … (21 distinct values in test fixtures) | no | `audit_logs/default.yml` L68–71: `rename` → `event.action`; all audit fixtures |
+| `event.action` | yes | yes | Same as vendor `event` field above | no | Populated in every `test-snyk-audit.json-expected.json` event and `audit_logs/sample_event.json` |
+| `event.type` | no (derived) | partial | `user`, `creation`, `change`, `access`, `deletion` | no | Appended from `event.action` regex (L72–96); supplements but does not replace action |
+| `event.category` | no (derived) | partial | `configuration`, `file`, `iam` | no | Appended from `event.action` regex (L97–110); category, not verb |
+| `snyk.audit_logs.content.action` | no | n/a | `Returned from analysis`, `Cloned repo: …`, `Modify files - exclude`, `Retrieve files` | partial | Human-readable sub-action; retained vendor-only; could supplement `event.action` for file/issue events |
+| `snyk.issues.attributes.status` | no | n/a | `open`, `resolved` | partial | Issues pipeline does not set `event.action`; state dimension only |
+| `snyk.issues.attributes.type` | no | n/a | `package_vulnerability` | partial | Finding type, not audit operation |
+| `event.action` (issues) | no | n/a | — | yes (if action needed) | Not set in issues pipeline or `test-snyk-issues.json-expected.json` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `snyk.audit_logs` | yes | yes | `snyk.audit_logs.event` → `event.action` | high | All 21 `test-snyk-audit.json-expected.json` events; `sample_event.json`: `org.project.issue.create`; pipeline L68–71 |
+| `snyk.issues` | no | no | None — no per-event action | high | `test-snyk-issues.json-expected.json` and `issues/sample_event.json` have no `event.action`; pipeline sets `event.kind: alert` only |
+| `snyk.latest_issues` | no | no | None — transform inherits issues semantics | high | Elasticsearch transform over issues; no additional pipeline |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Acting Snyk user | user | — | high | Top-level `user_id` present on org edits, IAM events, project tests, integration/SAST settings, target/project lifecycle, and issue access in `test-snyk-audit.json-expected.json` | `snyk.audit_logs` only |
+| Invited or affected user (content) | user | — | medium | `content.email`, `content.userPublicId`, `content.invitingUserId` in IAM fixtures; appended to `related.user` but not promoted to `user.target.*` | `snyk.audit_logs` — actor may differ from content user (e.g. `org.user.invite`: inviter in `user.id`, invitee in `content.email`) |
+| Automated / system actor | service | Snyk platform worker | medium | Fixtures omit `user_id` for `org.project.files.create/edit/access`, `org.project.issue.create`; `sample_event.json` issue-create also has no `user_id` | `snyk.audit_logs` — background import/scan pipeline; no ECS actor fields populated |
+| CLI / integration channel context | general | integration_channel | low | `content.origin: "cli"` on `org.project.test`; `content.origin: "github"` on `org.project.monitor` and `org.integration.settings.edit` | `snyk.audit_logs` — describes invocation channel, not a separate security principal |
+
+**`snyk.issues`:** No audit actor. Findings are scanner output. Scan-item `relationships.importer` may reference a user when enrichment is expanded, but that is scan metadata, not an audit actor.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Acting Snyk user ID | yes | yes | high | `set` copy_from `snyk.audit_logs.user_id` (`audit_logs/default.yml` L64–67); populated in all fixtures with `user_id` |
+| `user.group.id` | Group scope (group-scoped events) | yes | partial | high | `rename`: `snyk.audit_logs.group_id` → `user.group.id` (L52–55); only `group.service_account.create` fixture; group is scope, not actor identity |
+| `organization.id` | Org scope | yes | n/a | high | `set` copy_from `snyk.audit_logs.org_id` (L56–59); scope context on every audit event |
+| `snyk.audit_logs.user_id` | Canonical vendor actor ID | yes (vendor) | n/a | high | Retained after ECS copy; source of truth for actor |
+| `snyk.audit_logs.content.email` | Invitee / affected user email | yes (vendor) | n/a | medium | IAM fixtures; appended to `related.user` (L126–130) but not mapped to `user.target.email` |
+| `snyk.audit_logs.content.userPublicId` | Affected user public ID | yes (vendor) | n/a | medium | `org.user.add` fixture; appended to `related.user` (L131–135) |
+| `snyk.audit_logs.content.invitingUserId` | Inviter numeric ID (secondary actor ref) | yes (vendor) | n/a | low | `org.user.invite_link.accept` only; vendor-only, not appended to `related.user` |
+| `snyk.audit_logs.content.origin` | Invocation channel (cli, github) | yes (vendor) | n/a | low | Context only; not an actor identity field |
+| `related.user` | Cross-reference user IDs/emails | yes | partial | high | Appends `user_id`, `content.email`, `content.userPublicId` (L121–135); mixes actor and target user references without role distinction |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Snyk developer-security SaaS platform | Snyk | service | — | medium | API polled at configurable `url` (default `https://api.snyk.io/`); no `cloud.service.name` or `cloud.provider` set in pipeline | Scope/platform layer inferred from integration; not ECS-mapped |
+| 2 — Resource / object | Organization | Snyk organization | general | organization | high | `org_id` on every audit fixture; direct target on `org.edit` (`content.before`/`after.name`) | Both scope and rename target |
+| 2 — Resource / object | Group | Snyk group | general | group | high | `group_id` → `user.group.id` on `group.service_account.create` | Group-scoped admin events only in fixtures |
+| 2 — Resource / object | Project | Snyk project (scan container) | general | project | high | `snyk.audit_logs.project_id` on edit, issue, file, monitor, add events; `relationships.scan_item.data.id` (`type: project`) on issues | Audit and issues share project concept |
+| 2 — Resource / object | Snyk import target | SCM/container target | general | target | high | `content.targetId` on `org.target.create`; `content.target` (`branch`, `name`, `owner`, `id`) on `org.project.monitor` | Upstream repo/image before project materialization |
+| 2 — Resource / object | User (IAM target) | Snyk org user | user | — | high | `content.email`/`role` on `org.user.invite`; `content.userPublicId`/`role: ADMIN` on `org.user.add`; invitee email on `org.user.invite_link.accept` | Actor ≠ target on invite events |
+| 2 — Resource / object | Service account | Snyk service account | general | service_account | high | `content.serviceAccountPublicId` on `group.service_account.create` with embedded role permissions | Created account is event target |
+| 2 — Resource / object | Role / permissions | Snyk role | general | role | medium | `content.role`, `content.rolePublicId`, full role object with `groupPermissions`/`orgPermissions` | Assigned or created permission bundle |
+| 2 — Resource / object | Integration / org settings | Org configuration | general | configuration | high | `content.before`/`content.after` on `org.integration.settings.edit`, `org.sast_settings.edit` | Settings object, not discrete resource ID |
+| 2 — Resource / object | Project files / repository | Repository files | general | file | high | `org.project.files.create/edit/access`, `org.project.file.access`; clone URL in `content.action` | File-ingest during project import |
+| 2 — Resource / object | Issues / snapshots (aggregate) | Issue batch / snapshot | general | issue | medium | `content.issues` count on issue edit/access; `content.snapshotId` on `org.project.edit` | Bulk counts, not individual issue IDs |
+| 2 — Resource / object | Vulnerability finding | Snyk issue | general | package_vulnerability | high | `snyk.issues.id`, `attributes.type`, `attributes.key`, `vulnerability.id` | `snyk.issues` primary record; not an audit action target |
+| 2 — Resource / object | Vulnerable package / dependency | Package coordinate | general | package | high | `attributes.coordinates[].representations[].dependency.package_name/version` (e.g. `expat`, `golang.org/x/crypto/ssh`) | Issues stream only |
+| 3 — Content / artifact | Invite link, config diff, request metadata | URL / config diff / request ID | general | invite_link, config_diff, request_id | high (invite); medium (other) | `content.url` → `url.*` on `org.user.invite_link.create`; `content.before`/`after` on settings edits; `content.requestId` on file events; GitHub clone URL embedded in `content.action` | Artifacts enrich Layer 2 targets |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `organization.id` | 2 | general (organization) | yes | partial | `organization.id` / context | partial | Scope on every event; direct rename target on `org.edit` but same field serves both roles |
+| `snyk.audit_logs.org_id` | 2 | general (organization) | yes (vendor) | n/a | `organization.id` | yes | Vendor canonical org ID; duplicated in ECS scope field |
+| `snyk.audit_logs.project_id` | 2 | general (project) | yes (vendor) | n/a | `entity.target.id` / `resource.id` | yes | Project target on edit/issue/file/monitor events; never copied to ECS `*.target.*` |
+| `snyk.audit_logs.content.targetId` | 2 | general (target) | yes (vendor) | n/a | `entity.target.id` | yes | `org.target.create` fixture |
+| `snyk.audit_logs.content.target` | 2 | general (target) | yes (vendor) | n/a | `entity.target.*` | yes | GitHub repo metadata on `org.project.monitor` (`elastic/mito`, branch `dev`) |
+| `snyk.audit_logs.content.email` | 2 | user | yes (vendor) | n/a | `user.target.email` | yes | Invitee on `org.user.invite`; invitee on `org.user.invite_link.accept`; in `related.user` but not `user.target.*` |
+| `snyk.audit_logs.content.userPublicId` | 2 | user | yes (vendor) | n/a | `user.target.id` | yes | Added user on `org.user.add` |
+| `snyk.audit_logs.content.serviceAccountPublicId` | 2 | general (service_account) | yes (vendor) | n/a | `entity.target.id` | yes | `group.service_account.create` |
+| `snyk.audit_logs.content.role` / `.rolePublicId` | 2 | general (role) | yes (vendor) | n/a | `entity.target.*` | yes | Role assigned or created; vendor-only |
+| `snyk.audit_logs.content.before` / `.after` | 3 | general (config_diff) | yes (vendor) | n/a | context-only | partial | Settings diff on org/integration/SAST edits |
+| `url.*` | 3 | general (invite_link) | yes | partial | context-only | no | `uri_parts` on `content.url` (L136–139); invite link artifact |
+| `snyk.issues.id` | 2 | general (package_vulnerability) | yes (vendor) | n/a | `vulnerability.id` / `entity.target.id` | partial | Issue UUID; partially mirrored via `vulnerability.id` from `attributes.problems` |
+| `snyk.issues.relationships.scan_item.data.id` | 2 | general (project) | yes (vendor) | n/a | `entity.target.id` | yes | Project where finding was detected |
+| `snyk.issues.relationships.scan_item.data.attributes.target_file` | 2 | general (target) | yes (vendor) | n/a | `file.path` / `entity.target.*` | yes | Manifest path within scan target (when enrichment present) |
+| `snyk.issues.relationships.scan_item.data.attributes.target_reference` | 2 | general (target) | yes (vendor) | n/a | `entity.target.*` | yes | Branch/tag reference (when enrichment present) |
+| `snyk.issues.relationships.scan_item.data.relationships.target` | 2 | general (target) | yes (vendor) | n/a | `entity.target.id` | yes | Upstream Snyk target entity link (pipeline fixup L163–166) |
+| `vulnerability.id` / `vulnerability.severity` | 2 | general (package_vulnerability) | yes | yes | `vulnerability.*` | no | Mapped from `attributes.problems` and `effective_severity_level` (issues pipeline L61–84) |
+| `cloud.service.name` | 1 | service | no | n/a | `service.target.name` | yes | Not set; static `snyk` would identify invoked SaaS platform |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | — | no | Not used |
+
+### Gaps and mapping notes
+
+- **`event.action` well-mapped on audit stream:** Vendor `event` → `event.action` is correct and complete for all audit fixtures. No enhancement needed for primary audit action mapping.
+- **`content.action` sub-action not promoted:** Human-readable operational detail (`Returned from analysis`, `Cloned repo: …`, `Modify files - exclude`) stays in `snyk.audit_logs.content.action` only. Could supplement `event.action` on file/issue events if finer-grained filtering is needed — not an ECS gap for the primary verb.
+- **Issues stream has no `event.action`:** Finding state (`attributes.status`, `attributes.type`) is not an auditable operation; absence is expected for `event.kind: alert` vulnerability records.
+- **Actor-only ECS promotion:** Pipeline copies `user_id` → `user.id` but never maps content user fields to `user.target.*`. On `org.user.invite`, actor (`user.id` = inviter) differs from target (`content.email` = invitee); only inviter appears in `user.*`.
+- **`org.user.add` actor/target conflation:** `user_id` equals `content.userPublicId` — both actor and added user share `user.id`. Semantically the admin actor may be absent from the payload.
+- **`related.user` mixes roles:** Append processors add actor `user_id`, target `content.email`, and target `content.userPublicId` without distinguishing actor vs target — e.g. `org.user.invite` lists both inviter UUID and invitee email.
+- **No official ECS target fields:** Aligns with `target_enhancement_packages.csv` (`snyk`, `moderate_candidate`, all `has_*_target` false, `has_vendor_target_fields: true`). Primary enhancement: promote `snyk.audit_logs.project_id`, `content.targetId`/`content.target`, and IAM `content.email`/`userPublicId` to `entity.target.*` / `user.target.*`.
+- **Layer 1 SaaS gap:** No `cloud.provider` or `cloud.service.name` despite SaaS audit semantics.
+- **Automated events lack actor:** Background file import and issue-analysis events omit `user_id`; no service-account or system principal field substitutes.
+- **`user.group.id` as scope, not actor:** Group ID maps to ECS user field set but represents organizational scope on group events.
+- **Issues stream is not audit:** `event.kind: alert` findings describe vulnerable assets (project, package) but carry no caller identity — useful for shared target taxonomy only.
+- **No de-facto `destination.*` targets:** Unlike email/auth integrations, Snyk does not map affected users to `destination.user.*`.
+- **`content.invitingUserId` orphaned:** Numeric inviter ID on invite-link accept is vendor-only and not appended to `related.user`.
+
+### Per-stream notes
+
+**`snyk.audit_logs`:** Sole true audit stream. Twenty-one pipeline test events plus `sample_event.json` cover org IAM, project lifecycle, file import, integration settings, and service-account creation. `event.action` carries the full Snyk operation name (e.g. `org.project.monitor`, `group.service_account.create`); `event.type`/`event.category` are regex-derived supplements. Target identity remains overwhelmingly vendor-namespaced.
+
+**`snyk.issues`:** Vulnerability/issue state (`event.kind: alert`). No `event.action`. Maps `organization.id`, `vulnerability.*`, and retains full `snyk.issues.*` tree including scan-item and target relationships when API enrichment is present. No actor fields; project/target/package entities mirror audit taxonomy for asset-centric detections.
+
+**`snyk.latest_issues`:** Elasticsearch transform destination for current issue state; inherits issues field semantics with no additional actor/target or action mapping.
+
+## Example Event Graph
+
+Examples below come from **`snyk.audit_logs`** (true Snyk organization audit API events with `event.action`) and **`snyk.issues`** (audit-adjacent vulnerability state snapshots with no `event.action` or audit actor). The `snyk.latest_issues` transform inherits issues semantics and has no per-event graph.
+
+### Example 1: Admin invites user to organization
+
+**Stream:** `snyk.audit_logs` · **Fixture:** `packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json`
+
+```
+Snyk user (inviter) → org.user.invite → invited user (email)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | `b4b324c4-a55c-4cd6-82b8-f96e3b3b8d85` |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id` (copy of `snyk.audit_logs.user_id`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `org.user.invite` |
+| source_field | `event.action` |
+| source_value | `org.user.invite` |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | `other.user@company.com` |
+| type | user |
+
+**Field sources:**
+- `name` ← `snyk.audit_logs.content.email` (invitee; not promoted to `user.target.email` today)
+
+Actor is the inviter (`user.id`); target is the invitee email in `content.email`. Both appear in `related.user` without role distinction.
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: b4b324c4… (inviter)"] --> E["org.user.invite"]
+  E --> T["Target: other.user@company.com"]
+```
+
+### Example 2: Automated issue analysis completes on project
+
+**Stream:** `snyk.audit_logs` · **Fixture:** `packages/snyk/data_stream/audit_logs/sample_event.json`
+
+```
+Snyk platform worker → org.project.issue.create → Snyk project
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | service |
+| sub_type | Snyk platform worker |
+
+**Field sources:**
+- No `user_id` in fixture — background scan/analysis pipeline; no ECS actor fields populated
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `org.project.issue.create` |
+| source_field | `event.action` |
+| source_value | `org.project.issue.create` |
+
+Vendor sub-action `Returned from analysis` lives in `snyk.audit_logs.content.action` but is not mapped to ECS.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `d2bf0629-84a7-4b0b-b435-f49a87f0720c` |
+| type | general |
+| sub_type | project |
+
+**Field sources:**
+- `id` ← `snyk.audit_logs.project_id`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: Snyk platform worker"] --> E["org.project.issue.create"]
+  E --> T["Target: project d2bf0629…"]
+```
+
+### Example 3: Open package vulnerability on GitHub project (state snapshot)
+
+**Stream:** `snyk.issues` · **Fixture:** `packages/snyk/data_stream/issues/sample_event.json`
+
+```
+(no audit actor) → open finding → vulnerable package on project
+```
+
+This stream polls current issue records (`event.kind: alert`); there is no auditable actor or ECS `event.action`. The graph below shows asset-centric detection semantics only.
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| type | service |
+| sub_type | Snyk scanner |
+
+**Field sources:**
+- No caller identity in fixture; scanner implied by `vulnerability.scanner.vendor: Snyk`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | `open` |
+| source_field | `snyk.issues.attributes.status` |
+| source_value | `open` |
+
+**Not mapped to ECS today** — finding lifecycle state, not an audit verb.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | `bdb0b182-440e-483f-8f42-d4f5477e8349` |
+| name | `CVE-2024-32020` |
+| type | general |
+| sub_type | package_vulnerability |
+
+**Field sources:**
+- `id` ← `snyk.issues.id`
+- `name` ← `snyk.issues.attributes.title` (also `vulnerability.id` includes `CVE-2024-32020`)
+- Scan context: project `snyk/goof` (`snyk.issues.relationships.scan_item.data.attributes.name`), package `git` (`attributes.coordinates[].representations[].dependency.package_name`)
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, three data streams in `manifest.yml`; Tier A fixtures on `audit_logs` and `issues`). Router: **`data_stream.dataset`** (`snyk.audit_logs`, `snyk.issues`, `snyk.latest_issues`). Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`) — valid **3-arg**, **5-arg**, or **7-arg** `CASE` only — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` and never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` (bare field parses as a boolean condition). Secondary routing on **`event.action`** for IAM targets — on **`org.user.invite`**, promote invitee **`snyk.audit_logs.content.email`** → `user.target.email` (Pass 3); do not map invitee email on **`org.user.invite_link.accept`** where `user.id` already equals the accepting user. Automated audit events without `user_id` → **`service.name`** `"Snyk"` (Pass 3 platform worker); **`snyk.issues`** uses the same scanner literal with no audit actor.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `snyk.audit_logs` | platform audit | user, service | user, general (project, target, service_account) | full |
+| `snyk.issues` | vulnerability state (`event.kind: alert`) | service | general (finding) | partial |
+| `snyk.latest_issues` | transform snapshot | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `snyk.audit_logs.user_id` → `user.id` | `data_stream.dataset == "snyk.audit_logs"` | high | **ingest-only — no ES|QL**; pipeline `set` copy (`default.yml` L64–67); no alternate query-time source |
+| `service.name` | `"Snyk"` | `service.name IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL` | medium | **column-level preserve**; **semantic literal** — automated worker (Pass 3 example 2; `sample_event.json` issue-create) |
+| `service.name` | `"Snyk"` | `service.name IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.issues"` | low | **column-level preserve**; **semantic literal** — scanner (Pass 3 example 3) |
+| `entity.type` | `"service"` | `entity.type IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL` | medium | **column-level preserve**; **semantic literal** — pairs with `service.name` on background jobs |
+| `entity.sub_type` | `"Snyk platform worker"` | `entity.sub_type IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL` | medium | **column-level preserve**; **semantic literal** — Pass 3 example 2 |
+| `entity.sub_type` | `"Snyk scanner"` | `entity.sub_type IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.issues"` | low | **column-level preserve**; **semantic literal** — Pass 3 example 3 |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.target.email` | `snyk.audit_logs.content.email` | `user.target.email IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.audit_logs" AND event.action == "org.user.invite"` | high | **column-level preserve**; **vendor fallback** — invitee; actor `user.id` ≠ target email (Pass 3 example 1) |
+| `entity.target.id` | `snyk.audit_logs.project_id` | `entity.target.id IS NOT NULL` → preserve; else dataset/action guards below | high | **column-level preserve**; **vendor fallback** — project (Pass 3 example 2) |
+| `entity.target.id` | `snyk.audit_logs.content.targetId` | `entity.target.id IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create"` | high | **column-level preserve**; **vendor fallback** — SCM target registration |
+| `entity.target.id` | `snyk.audit_logs.content.serviceAccountPublicId` | `entity.target.id IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create"` | high | **column-level preserve**; **vendor fallback** — created service account |
+| `entity.target.id` | `snyk.issues.id` | `entity.target.id IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.issues"` | high | **column-level preserve**; **vendor fallback** — finding UUID |
+| `entity.target.name` | `snyk.issues.attributes.title` | `entity.target.name IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.issues"` | high | **column-level preserve**; **vendor fallback** — CVE/finding title (Pass 3 example 3) |
+| `entity.target.sub_type` | `snyk.issues.attributes.type` | `entity.target.sub_type IS NOT NULL` → preserve; else `data_stream.dataset == "snyk.issues"` | high | **column-level preserve**; **vendor fallback** — e.g. `package_vulnerability` |
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+No ingest-time ECS `*.target.*` on Snyk today — `target_exists` is typically false until fallback `EVAL`s run.
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers. Actor/target/classification **`EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so e.g. a populated `user.id` does not block `service.name` ← `"Snyk"` when `user.id` is empty on automated audit rows, and one populated `entity.target.id` does not block `entity.target.name` fallbacks (Pass 4 §10).
+
+### Optional classification helpers (when needed)
+
+Set in **fallback** only (column-level preserve on `entity.type`, `entity.sub_type`, `entity.target.sub_type`):
+
+```esql
+| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "service",
+    data_stream.dataset == "snyk.issues", "service",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "Snyk platform worker",
+    data_stream.dataset == "snyk.issues", "Snyk scanner",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "snyk.issues", snyk.issues.attributes.type,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL, "project",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create", "target",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create", "service_account",
+    null
+  )
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "Snyk",
+    data_stream.dataset == "snyk.issues", "Snyk",
+    null
+  )
+```
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs. With **4** args, the 3rd arg is a **boolean condition**, not a fallback value — `CASE(service.name IS NOT NULL, service.name, "Snyk", null)` would mean “else if `"Snyk"` is truthy, return `null`”. For preserve + one fallback use **3** args: `CASE(service.name IS NOT NULL, service.name, "Snyk")` when a single dataset applies; multi-dataset branches need **5+** args with an explicit `null` default.
+
+### Combined ES|QL — event action
+
+Omitted — `event.action` is populated on every **`snyk.audit_logs`** fixture via ingest rename `snyk.audit_logs.event` → `event.action` (`audit_logs/default.yml` L68–71). **`snyk.issues`** / **`snyk.latest_issues`** have no auditable verb; `snyk.issues.attributes.status` is finding state, not `event.action`.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.user.invite", snyk.audit_logs.content.email,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL, snyk.audit_logs.project_id,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create", snyk.audit_logs.content.targetId,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create", snyk.audit_logs.content.serviceAccountPublicId,
+    data_stream.dataset == "snyk.issues", snyk.issues.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "snyk.issues", snyk.issues.attributes.title,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "service",
+    data_stream.dataset == "snyk.issues", "service",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "Snyk platform worker",
+    data_stream.dataset == "snyk.issues", "Snyk scanner",
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "snyk.audit_logs" AND user.id IS NULL, "Snyk",
+    data_stream.dataset == "snyk.issues", "Snyk",
+    null
+  )
+| EVAL
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.user.invite", snyk.audit_logs.content.email,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL, snyk.audit_logs.project_id,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create", snyk.audit_logs.content.targetId,
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create", snyk.audit_logs.content.serviceAccountPublicId,
+    data_stream.dataset == "snyk.issues", snyk.issues.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "snyk.issues", snyk.issues.attributes.title,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "snyk.issues", snyk.issues.attributes.type,
+    data_stream.dataset == "snyk.audit_logs" AND snyk.audit_logs.project_id IS NOT NULL, "project",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "org.target.create", "target",
+    data_stream.dataset == "snyk.audit_logs" AND event.action == "group.service_account.create", "service_account",
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, service.name, entity.type, entity.sub_type, user.target.email, entity.target.id, entity.target.name, entity.target.sub_type, snyk.audit_logs.project_id
+```
+
+### Streams excluded
+
+- **`snyk.latest_issues`** — Elasticsearch transform over `snyk.issues`; inherits issues field semantics with no additional actor/target or `event.action` mapping.
+
+### Gaps and limitations
+
+- **`user.target.id` on `org.user.add` omitted** — fixture `user_id` equals `content.userPublicId`; mapping would tautologically duplicate actor `user.id` (Pass 2).
+- **`org.user.invite_link.accept`** — `user.id` and `content.email` refer to the same accepting user; no separate invitee target branch.
+- **`service.target.name` / Layer 1 SaaS** — not emitted; no Pass 3 platform-target example on generic audit rows; `cloud.service.name` not set at ingest.
+- **`organization.id` is scope** — not mapped to `entity.target.*`; same field serves org-edit rename target.
+- **Role, integration settings, file-ingest targets** — `content.role`, `content.before`/`after`, `content.action` remain vendor-only; extend `entity.target.*` when Tier A fixtures justify guards.
+- **`snyk.issues` project/package targets** — `relationships.scan_item.*` and dependency coordinates exist in `issues/sample_event.json` but are omitted here to avoid guessing among multiple `entity.target.id` candidates.
+- **`content.action` sub-operations** — vendor-only (`Returned from analysis`, `Cloned repo: …`); not promoted to `event.action`.
+- **`user.id`** — **ingest-only — no ES|QL**; `CASE(user.id IS NOT NULL, user.id, user.id, …)` / `CASE(actor_exists, user.id, …)` omitted (Pass 4 tautology rule).
+- **`CASE` preserve pattern** — use `CASE(<col> IS NOT NULL, <col>, …)` per column; do not gate fallbacks on `actor_exists` / `target_exists` when another populated column in the same flag would block an empty sibling (Pass 4 §10).
+- **`user.name` / `user.email` / `user.domain`** — not indexed on audit stream; actor is `user.id` only.
+- **Pass 2 enhancement alignment** — ingest-time promotion of IAM/project fields to `user.target.*` / `entity.target.*` remains preferred; Pass 4 fills gaps without overwriting populated values.
diff --git a/dev/domain/p1/suricata.md b/dev/domain/p1/suricata.md
new file mode 100644
index 00000000000..36f9bb7d5cc
--- /dev/null
+++ b/dev/domain/p1/suricata.md
@@ -0,0 +1,523 @@
+# suricata
+
+## Product Domain
+
+Suricata is an open-source, high-performance network intrusion detection system (NIDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine maintained by the Open Information Security Foundation (OISF). Deployed inline or passively on network segments, Suricata inspects live traffic against signature-based rules (compatible with Snort and Emerging Threats rule sets), protocol parsers, and behavioral heuristics to detect malicious activity, policy violations, and protocol anomalies. In IPS mode it can actively block or drop malicious sessions; in IDS mode it generates alerts for downstream analysis and response.
+
+As an NSM platform, Suricata goes beyond simple signature matching by reconstructing application-layer protocols and emitting rich transaction logs for DNS, HTTP, TLS, SMB, SSH, SMTP, and other protocols. This deep packet inspection enables threat hunting, forensic reconstruction of network sessions, and correlation of alerts with the underlying traffic context. Organizations deploy Suricata at network perimeters, data-center boundaries, and critical internal segments to gain visibility into east-west and north-south traffic.
+
+Suricata is multi-threaded and designed for high-throughput environments, with configurable run modes, CPU affinity, and rule-set management to scale with traffic volume. Security teams use it for real-time threat detection, compliance logging, incident investigation, and feeding SIEM platforms with normalized network security events. The engine's Extensible Event Format (EVE) provides structured JSON output that captures alerts, flows, protocol transactions, file metadata, and performance statistics in a single log stream.
+
+## Data Collected (brief)
+
+The integration collects Suricata's EVE JSON log (`eve.json`) via Elastic Agent logfile input from the Suricata host. A single **eve** data stream ingests all configured EVE event types—typically including `alert` (rule-based security alerts with signature metadata and MITRE mappings), `anomaly`, `flow`, protocol logs (`dns`, `http`, `tls`, `ssh`, `smb`, `smtp`, `dhcp`, `nfs`, `kerberos`), `fileinfo` (extracted file hashes and metadata), and `stats` (engine performance counters). Events are parsed into ECS fields (source/destination, network, DNS, HTTP, TLS, rule, threat) with Suricata-specific fields retained under `suricata.eve.*`.
+
+## Expected Audit Log Entities
+
+The single **eve** data stream ingests Suricata EVE JSON — network security telemetry, not identity-centric audit logs. Event types include **alert** (IDS/IPS rule hits), **flow**, protocol transactions (`dns`, `http`, `tls`, `ssh`, `smb`, `smtp`, …), **fileinfo**, **anomaly**, and **stats** (engine metrics). Alerts and protocol logs are audit-adjacent security events; **stats** is pure engine telemetry with no actor/target endpoints.
+
+Actor and target are inferred from the flow 5-tuple (`src_ip`/`dest_ip` → `source.*`/`destination.*`), well-known ports, rule metadata, and application-layer fields. There is no authenticated user principal; `user_agent.*` reflects client software, not `user.*`. ECS `*.target.*` fields are **not populated** (no row in `target_fields_audit.csv`). `destination.user.*` / `destination.host.*` are **not used** (absent from `destination_identity_hits.csv`). `target_enhancement_packages.csv` classifies suricata as **strong_candidate** with pipeline actor and destination network evidence but no Tier-A ECS target mapping.
+
+**`event.action` is absent from all fixtures and pipelines.** Suricata's richest action signals — IPS disposition (`alert.action`: `allowed`/`blocked`), EVE `event_type`, rule signature name, HTTP method, and flow state — are mapped to `event.type`, `event.kind`, `event.category`, or vendor fields instead. See Event action sections below.
+
+| Stream (EVE `event_type`) | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **alert** | no | no | `alert.action` (`allowed`/`blocked`→`denied`) | high | Appended to `event.type` (`default.yml` L433–446); `event.type: ["allowed"]` in `test-eve-alerts.log-expected.json` |
+| **alert** (detection) | no | no | `rule.name` ← `suricata.eve.alert.signature` | high | `rule.name: "ET POLICY curl User-Agent Outbound"` in alert fixtures (`default.yml` L428–431) |
+| **dns** | no | no | `suricata.eve.event_type` + `dns.type` (`query`/`answer`) | medium | `event.type: ["protocol"]`, `dns.type: query` in `test-eve-dns-4-1-4.log-expected.json` |
+| **http** | no | no | `http.request.method` (+ optional `url.path`) | medium | `http.request.method: GET` in alert/HTTP fixtures (`default.yml` L331–335) |
+| **tls**, **ssh**, **smb**, **smtp**, … | no | no | `suricata.eve.event_type` (protocol observation) | medium | `event.type: ["protocol"]` on TLS in `test-eve-small.log-expected.json` |
+| **flow** | no | no | `suricata.eve.flow.state` (`new`/`closed`) | medium | Appended as `event.type: start`/`end` (`default.yml` L319–330) |
+| **fileinfo** | no | no | file extraction (`suricata.eve.fileinfo.state`) | medium | `file.path` populated; `event_type: fileinfo` not in type-params script (`test-eve-small.log-expected.json`) |
+| **stats** | no | no | — (no per-event action) | high | `event.kind: metric`; engine counters only (`test-eve-small.log-expected.json`) |
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| IDS/IPS rule triggered (signature match) | detection | high | `rule.name`, `rule.id` on alert events (e.g. `"ET POLICY curl User-Agent Outbound"`, sid `2013028`) | **alert** — primary security "what happened" |
+| IPS traffic allowed | detection | high | Vendor `alert.action: allowed` → `event.type: ["allowed"]` | **alert** in IDS/passive mode |
+| IPS traffic blocked/denied | detection | high | Vendor `alert.action: blocked` normalized to `denied` → `event.type` | **alert** in IPS/inline mode (no blocked fixture; pipeline L433–437) |
+| Protocol transaction logged | data_access | high | EVE `event_type` drives `event.type: ["protocol"]` via type-params script | **dns**, **tls**, **ssh**, **smb**, **smtp**, **http**, … |
+| HTTP request observed | data_access | medium | `http.request.method: GET` with optional `url.path` | **http** events and alerts with HTTP app-layer |
+| DNS query / answer | data_access | medium | `dns.type: query` or `answer` with `dns.question.name` | **dns** only |
+| Flow session start / end | connection | high | `flow.state: new` → `event.type: start`; `closed` → `end` | **flow** only |
+| File metadata extracted | data_access | medium | `file.path`, `file.hash.*` from `suricata.eve.fileinfo.*` | **fileinfo** only |
+| Engine performance snapshot | — | high | Counter aggregation under `suricata.eve.stats.*` | **stats** — no per-event verb; `event.kind: metric` |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | — | Absent from all `sample_event.json` and `*-expected.json` |
+| `alert.action` (vendor, removed post-pipeline) | no (→ `event.type`) | partial | `allowed`, `denied` | yes | `default.yml` L433–446 appends to `event.type`, then removes vendor field; `event.type: ["allowed"]` in `test-eve-alerts.log-expected.json` |
+| `rule.name` | no | n/a | `"ET POLICY curl User-Agent Outbound"`, `"GPL ATTACK_RESPONSE id check returned root"` | yes | `default.yml` L428–431; alert fixtures |
+| `rule.id` | no | n/a | `"2013028"`, `"2100498"` | partial (alternate) | Signature ID; less human-readable than `rule.name` |
+| `suricata.eve.event_type` | no (→ `event.kind`/`event.category`/`event.type`) | partial | `alert`, `dns`, `http`, `tls`, `ssh`, `flow`, `fileinfo`, `stats` | partial | Type-params script (`default.yml` L167–273); `fileinfo`/`anomaly` not in params — fall through with minimal ECS typing |
+| `http.request.method` | no | n/a | `GET` | partial | `default.yml` L331–335; HTTP/alert fixtures |
+| `suricata.eve.flow.state` | no (→ `event.type` `start`/`end`) | partial | `new`, `closed` | partial | `default.yml` L319–330 |
+| `dns.type` | no | n/a | `query`, `answer` | partial | DNS pipeline + fixtures (`test-eve-dns-4-1-4.log-expected.json`) |
+| `suricata.eve.fileinfo.state` | no (vendor-only) | n/a | `CLOSED` | partial | Retained under vendor namespace on fileinfo events |
+| `event.type` / `event.category` | n/a (wrong ECS field for verb) | partial | `allowed`, `protocol`, `access`, `connection`, `start`, `end` | no (keep as type/category) | Currently absorbs action semantics that belong in `event.action` per ECS Event field-set |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Flow / protocol initiator | host | — | high | `source.ip`, `source.port`, `source.mac`; ephemeral client port toward service port (e.g. `192.168.86.85:55406 → 192.168.253.112:22` in `sample_event.json`, SSH in `test-eve-small.log-expected.json`) | Default for `flow`, `http`, `tls`, `ssh`, `dns` query, `fileinfo` |
+| IDS alert — default side | host | — | high | `source.ip`, `source.port`; outbound client or external attacker in most signatures (e.g. `192.168.1.146 → 89.160.20.112:80` in `test-eve-alerts.log-expected.json`) | `event.kind: alert`, `event.category: intrusion_detection` |
+| IDS alert — hostile side | host | — | medium | `suricata.eve.alert.hostile` (`src_ip` / `dest_ip`) marks malicious side; e.g. `hostile: ["src_ip"]` with `175.16.199.1:80 → 10.31.64.240` in `test-eve-metadata.log-expected.json` | Overrides default source=actor assumption when metadata present |
+| DNS answer responder | host or service | — | medium | Resolver appears as `source.*` with `source.port: 53` when `dns.type: answer` (e.g. `192.168.86.1:53 → 192.168.86.85` in `test-eve-small.log-expected.json`; query direction reversed in `test-eve-dns-4-1-4.log-expected.json`) | DNS only |
+| Geo-enriched external endpoint | host | — | medium | `source.geo.*`, `source.as.*` on public IPs (e.g. `175.16.199.1` China on metadata alert; `89.160.20.112` Sweden on alerts fixture) | Optional enrichment via geoip processors |
+| HTTP/TLS client software | general | client_software | medium | `user_agent.original` ← `suricata.eve.http.http_user_agent` (e.g. `curl/7.58.0`, `Debian APT-HTTP/1.3` in alert fixtures); not a security principal | HTTP/alert events only |
+| Suricata sensor | — | — | high | `observer.product`/`observer.vendor`/`observer.type` set when `forwarded` tag present (`default.yml`); identifies the IDS sensor, not the traffic actor | All forwarded events |
+| Engine telemetry | — | — | high | No actor endpoint on `event_type: stats` — counters only (`test-eve-small.log-expected.json`) | stats stream semantics |
+
+No **user** actor is populated in fixtures; `user.name` / `user.id` are absent from all pipeline expected output.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `source.ip` | Flow/alert origin host | yes | yes | high | `suricata.eve.src_ip` → `source.address` → `source.ip` (`default.yml` L98–107; all fixtures) |
+| `source.port` | Flow/alert origin port | yes | yes | high | `suricata.eve.src_port` → `source.port` (`default.yml` L108–113) |
+| `source.mac` | L2 origin | yes | yes | high | `suricata.eve.ether.src_mac` → formatted `source.mac` (`default.yml` L44–65; metadata alert fixture) |
+| `source.geo.*`, `source.as.*` | Enriched origin | yes | yes | medium | geoip on `source.ip` (`default.yml` L692–731; metadata/alerts fixtures) |
+| `source.packets`, `source.bytes` | Flow volume (origin side) | yes | yes | high | `suricata.eve.flow.pkts_toserver` / `bytes_toserver` (`default.yml` L611–625) |
+| `suricata.eve.alert.hostile` | Malicious-side hint | yes (vendor) | n/a | medium | `alert.metadata.hostile` → `suricata.eve.alert.hostile` (`default.yml` L511–514; `test-eve-metadata.log-expected.json`) |
+| `user_agent.*` | Client software fingerprint | yes | partial | medium | `user_agent` processor on `suricata.eve.http.http_user_agent` (`default.yml` L688–691); software string, not IAM/user account |
+| `suricata.eve.ssh.client.software_version` | SSH client banner | yes (vendor) | n/a | low | Retained under vendor namespace (SSH event in `sample_event.json`) |
+| `observer.product` / `observer.vendor` / `observer.type` | Sensor identity | yes | n/a | high | Static when `forwarded` tag (`default.yml` L8–22); not traffic actor |
+| `related.ip` | Correlation | yes | yes | high | Appends `source.ip` and `destination.ip` (`default.yml` L748–758) |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Network protocol / service | Application protocol or well-known service on destination port | SSH, DNS, HTTP, TLS, … | service | — | high | `network.protocol` from `suricata.eve.event_type` / `app_proto` script (`default.yml` L167–290); `destination.port` — e.g. `:22` SSH in `sample_event.json`, `:53` DNS in `test-eve-dns-4-1-4.log-expected.json`, `:443` TLS alert in `test-eve-small.log-expected.json` | All protocol and alert events |
+| 2 — Host / endpoint | IP/MAC peer receiving or serving traffic | Internal victim, external server, resolver | host | — | high | `destination.ip`, `destination.port`, `destination.mac` ← `dest_ip`/`dest_port`/ether (`default.yml` L114–130); e.g. victim `10.31.64.240` on attack-response alert, `192.168.253.112:22` SSH server | Default for flow, alert, protocol logs |
+| 2 — Rule-implied asset class | Signature metadata describing attacked asset type | smtp-server, server | general | server, smtp-server | medium | `suricata.eve.alert.attack_target` ← rule metadata (`default.yml` L461–464; `["smtp-server","server"]` in `test-eve-metadata.log-expected.json`) | Alert only; supplements Layer 2 |
+| 3 — Named resource / content | Hostname, URL, DNS name, file, cert | Domain, URL path, file hash | general | hostname, domain, url, file | medium | `destination.domain` ← HTTP hostname or TLS SNI (`default.yml` L341–365; `tls.yml` L214–218); `url.domain`/`url.path`; `dns.question.name`; `tls.client.server_name`; `file.path`/`file.hash.*` on fileinfo (`default.yml` L397–406; fileinfo in `test-eve-small.log-expected.json`) | HTTP, TLS, DNS, fileinfo, alerts with app-layer context |
+| 3 — Detection rule | Triggered signature | Suricata rule | general | ids_rule | high | `rule.id`, `rule.name`, `rule.category` ← `suricata.eve.alert.*` (`default.yml` L418–432) | Alert only |
+
+**stats** events have no target entity — engine counters under `suricata.eve.stats.*` only.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `destination.ip` | 2 | host | yes | yes | context-only (network peer) | yes → `host.target.ip` | `suricata.eve.dest_ip` → `destination.ip` (`default.yml` L114–124); victim/server peer on alerts — network semantics, not official ECS target |
+| `destination.port` | 1/2 | service/host | yes | yes | context-only | partial → `host.target.port` | `suricata.eve.dest_port` → `destination.port`; well-known ports imply service layer |
+| `destination.mac` | 2 | host | yes | yes | context-only | yes → `host.target.mac` | `suricata.eve.ether.dest_mac` → `destination.mac` (metadata alert) |
+| `destination.domain` | 3 | general | yes | yes | context-only | partial → `entity.target.name` | HTTP hostname append + TLS SNI set (`default.yml` L341–365; `tls.yml` L214–218) |
+| `destination.geo.*`, `destination.as.*` | 2 | host | yes | yes | context-only | no | geoip on `destination.ip` (`default.yml` L698–741) |
+| `destination.packets`, `destination.bytes` | 2 | host | yes | yes | context-only | no | Flow counters toward client (`default.yml` L607–625) |
+| `network.protocol` | 1 | service | yes | yes | context-only | partial → `service.target.name` | Event-type script + `app_proto` (`default.yml` L167–290) |
+| `dns.question.name` | 3 | general | yes | yes | context-only | partial | `suricata.eve.dns.rrname` via `registered_domain` + dns pipeline (`dns.yml`; DNS fixtures) |
+| `tls.client.server_name` | 3 | general | yes | yes | context-only | partial | `suricata.eve.tls.sni` (`tls.yml` L209–213) |
+| `url.domain`, `url.path`, `url.original` | 3 | general | yes | yes | context-only | partial | HTTP grok/rename (`default.yml` L366–386) |
+| `file.path`, `file.size`, `file.hash.*` | 3 | general | yes | yes | context-only | partial → `file`-class target | `suricata.eve.fileinfo.*` (`default.yml` L397–406; fileinfo fixture) |
+| `file.name` | 3 | general | yes | yes | context-only | partial | Alert metadata `filename` → `file.name` (`default.yml` L560–564) |
+| `rule.id`, `rule.name`, `rule.category` | 3 | general | yes | yes | context-only | no | Alert signature fields (`default.yml` L418–432) |
+| `suricata.eve.alert.attack_target` | 2 | general | yes (vendor) | n/a | — | yes → `entity.target.type` or `service.target.name` | Rule metadata array; vendor-only, no ECS target mapping (`default.yml` L461–464) |
+| `threat.tactic.id`, `threat.technique.id` | 3 | general | yes | partial | context-only | no | MITRE from rule metadata (`default.yml` L580–605); threat context, not entity target |
+
+### Gaps and mapping notes
+
+- **No ECS `*.target.*` fields** — victim/server endpoints live under `destination.*` as network peers; `target_enhancement_packages.csv` flags suricata as **strong_candidate** for Tier-A target migration (`host.target.ip` / port on alert victims).
+- **`destination.*` is network context, not de-facto user/host audit target** — unlike firewall auth logs, Suricata never maps recipient/login-target identity to `destination.user.*`; all destination fields are flow 5-tuple peers.
+- **`suricata.eve.alert.hostile` and `suricata.eve.alert.attack_target`** are the richest vendor target/actor hints but remain vendor-only (listed in `vendor_target_special_cases.csv`); no ECS `entity.target.*` equivalent.
+- **`user_agent.*` vs `user.*`** — HTTP User-Agent strings (`curl/7.58.0`) populate `user_agent.original` correctly as client software; must not be interpreted as `user` actor.
+- **`observer.*`** identifies the Suricata sensor when events are forwarded; it is not the traffic actor or target.
+- **DNS direction** — query events treat resolver as `destination.*:53`; answer events reverse roles (`source.port: 53`); actor/target follow packet direction, not semantic "client/server" labels.
+- **stats / anomaly without endpoints** — no actor or target; metrics dimensions under `suricata.eve.stats.*` are engine health, not per-flow entities.
+- **`event.action` gaps** — `alert.action` (`allowed`/`blocked`) and `rule.name` (signature) are the strongest action candidates but map to `event.type` or `rule.*` instead of `event.action`. Recommended primary mapping: `event.action` ← `alert.action` (IPS disposition) on alerts; alternate `event.action` ← `rule.name` or normalized slug of signature for detection semantics. Protocol streams could use `event.action` ← `suricata.eve.event_type` (e.g. `dns`, `tls`) with `dns.type`/`http.request.method` as secondary detail — currently split across `event.type` and app-layer fields.
+- **`event.type` conflates action with classification** — IPS disposition (`allowed`/`denied`) and flow lifecycle (`start`/`end`) are appended to `event.type` per ECS should be `event.action`; `event.type` should retain structural labels (`protocol`, `access`, `connection`, `info`).
+
+### Per-stream notes
+
+All EVE event types share the **eve** data stream and `default.yml` pipeline (with `dns.yml` / `tls.yml` sub-pipelines).
+
+- **alert** — Action: signature rule match + IPS disposition (`allowed`/`denied` in `event.type` today). Adds `rule.*`, `suricata.eve.alert.*` metadata, and optional HTTP/TLS app-layer context. `event.kind: alert`, `event.category: [network, intrusion_detection]`.
+- **dns** — Action: DNS query or answer transaction. `event.type: ["protocol"]`; `dns.type` distinguishes query vs answer.
+- **http** — Action: HTTP access (`event.type: ["access", "protocol"]`); `http.request.method` and `event.outcome` from status code.
+- **tls**, **ssh**, **smb**, **smtp**, … — Action: protocol observation only (`event.type: ["protocol"]`).
+- **flow** — Action: session lifecycle (`start`/`end` appended to `event.type` from `flow.state`).
+- **fileinfo** — Action: file extraction logged; `file.path`/`file.hash.*` populated. `event_type: fileinfo` not in type-params script — minimal ECS typing.
+- **stats** — No per-event action; `event.kind: metric`. Engine counters under `suricata.eve.stats.*` only.
+
+## Example Event Graph
+
+Examples below come from the **eve** data stream (`suricata.eve`) pipeline fixtures. Suricata EVE output is audit-adjacent network security telemetry — flow endpoints stand in for actors and targets; there is no authenticated user principal. **`event.action` is not populated** in any fixture; actions are derived from `rule.name`, `event.type`, or protocol fields. **stats** events are engine metrics only and have no per-event Actor → action → Target chain.
+
+### Example 1: IDS alert on outbound HTTP (curl User-Agent)
+
+**Stream:** `suricata.eve` · **Fixture:** `packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json`
+
+```
+Host (192.168.1.146) → rule match (ET POLICY curl User-Agent Outbound) → HTTP server (89.160.20.112 / example.net)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 192.168.1.146 |
+| type | host |
+| ip | 192.168.1.146 |
+
+**Field sources:**
+- `id` ← `source.ip`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | ET POLICY curl User-Agent Outbound |
+| source_field | `rule.name` |
+| source_value | ET POLICY curl User-Agent Outbound |
+
+**Not mapped to ECS `event.action` today** — signature name is stored in `rule.name`; IPS disposition (`allowed`) is in `event.type` instead.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 89.160.20.112 |
+| name | example.net |
+| type | host |
+| sub_type | http_service |
+| geo | Linköping, Sweden |
+| ip | 89.160.20.112 |
+
+**Field sources:**
+- `id` ← `destination.ip`
+- `name` ← `destination.domain` / `url.domain`
+- `ip` ← `destination.ip`
+- `geo` ← `destination.geo.city_name`, `destination.geo.country_name`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 192.168.1.146"] --> E["ET POLICY curl User-Agent Outbound"]
+  E --> T["Target: example.net (89.160.20.112)"]
+```
+
+### Example 2: Attack-response alert (hostile source)
+
+**Stream:** `suricata.eve` · **Fixture:** `packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json`
+
+```
+Host (175.16.199.1, hostile) → rule match (GPL ATTACK_RESPONSE id check returned root) → victim host (10.31.64.240 / testmynids.org)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 175.16.199.1 |
+| type | host |
+| geo | Changchun, China |
+| ip | 175.16.199.1 |
+
+**Field sources:**
+- `id` ← `source.ip`
+- `ip` ← `source.ip`
+- `geo` ← `source.geo.city_name`, `source.geo.country_name`
+- Hostile side confirmed by `suricata.eve.alert.hostile: ["src_ip"]` (vendor metadata overrides default flow-direction assumption).
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | GPL ATTACK_RESPONSE id check returned root |
+| source_field | `rule.name` |
+| source_value | GPL ATTACK_RESPONSE id check returned root |
+
+**Not mapped to ECS `event.action` today** — stored in `rule.name`; IPS disposition is `event.type: ["allowed"]`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 10.31.64.240 |
+| name | testmynids.org |
+| type | host |
+| sub_type | smtp-server |
+| ip | 10.31.64.240 |
+
+**Field sources:**
+- `id` ← `destination.ip`
+- `name` ← `destination.domain`
+- `ip` ← `destination.ip`
+- `sub_type` ← `suricata.eve.alert.attack_target` (`["smtp-server","server"]`)
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 175.16.199.1 (hostile)"] --> E["GPL ATTACK_RESPONSE id check returned root"]
+  E --> T["Target: testmynids.org (10.31.64.240)"]
+```
+
+### Example 3: DNS query transaction
+
+**Stream:** `suricata.eve` · **Fixture:** `packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json`
+
+```
+Host (10.0.2.15) → DNS query → google.com
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 10.0.2.15 |
+| type | host |
+| ip | 10.0.2.15 |
+
+**Field sources:**
+- `id` ← `source.ip`
+- `ip` ← `source.ip`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | query |
+| source_field | `dns.type` |
+| source_value | query |
+
+**Not mapped to ECS `event.action` today** — `dns.type` holds the verb; `event.type` is `["protocol"]` and `suricata.eve.event_type` is `dns`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | google.com |
+| type | general |
+| sub_type | dns_name |
+
+**Field sources:**
+- `name` ← `dns.question.name` (queried RR name; primary object of the DNS transaction)
+- `sub_type` ← `dns.type: query` + `suricata.eve.dns.rrtype: A`
+
+**Scope context (not target):** resolver peer **10.0.2.3:53** (`destination.ip`, `destination.port`) — DNS session endpoint, not the name being looked up.
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: 10.0.2.15"] --> E["DNS query"]
+  E --> T["Target: google.com"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (policy template `suricata`, single **eve** data stream per `manifest.yml`; Tier A fixtures in `sample_event.json` and `*-expected.json`). Router: **`data_stream.dataset == "suricata.eve"`** with secondary **`event.kind`**, **`suricata.eve.event_type`**, and **`dns.type`**. Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`), not `CASE(actor_exists, <col>, …)` — e.g. a populated `entity.target.name` must not block `host.target.ip` from `destination.ip` (Pass 4 §10). Ingest does not populate `host.*`, ECS `*.target.*`, or `event.action` today — fallbacks promote **`source.*`** / **`destination.*`** (5-tuple peers) to `host.*` / `host.target.*`, **`network.protocol`** to `service.target.name`, and DNS/signature artifacts to `entity.target.*`. **`stats`** (`event.kind == "metric"`) excluded. No authenticated user principal in any fixture.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `suricata.eve` (alert, flow, protocol logs, fileinfo) | NIDS/NSM telemetry | host | host, service, general | partial |
+| `suricata.eve` (stats) | engine metrics | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.ip` | `source.ip` | `data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND NOT MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip")` | high | **column-level preserve** (`host.ip IS NOT NULL`); **vendor fallback** — default flow origin (all fixtures) |
+| `host.ip` | `destination.ip` | `data_stream.dataset == "suricata.eve" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip")` | medium | **vendor fallback** — hostile side override (`hostile` is keyword array; sparse fixture) |
+| `host.id` | `source.ip` | `data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL AND NOT MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip")` | high | **column-level preserve** (`host.id IS NOT NULL`); **vendor fallback** — Pass 3 actor `id` = source endpoint |
+| `host.id` | `destination.ip` | `data_stream.dataset == "suricata.eve" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip")` | medium | **vendor fallback** — hostile on destination side |
+| `host.mac` | `source.mac` | `data_stream.dataset == "suricata.eve" AND source.mac IS NOT NULL` | high | **column-level preserve** (`host.mac IS NOT NULL`); **vendor fallback** — L2 origin (`test-eve-metadata.log-expected.json`) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND destination.ip IS NOT NULL` | high | **column-level preserve** (`host.target.ip IS NOT NULL`); **de-facto destination.*** — session peer / victim (Pass 2 strong_candidate) |
+| `host.target.name` | `destination.domain` | `data_stream.dataset == "suricata.eve" AND destination.domain IS NOT NULL` | high | **column-level preserve** (`host.target.name IS NOT NULL`); **de-facto destination.*** — HTTP hostname / TLS SNI |
+| `service.target.name` | `network.protocol` | `data_stream.dataset == "suricata.eve" AND network.protocol IS NOT NULL` | high | **column-level preserve** (`service.target.name IS NOT NULL`); **vendor fallback** — application protocol (e.g. `http`, `ssh`, `dns`) |
+| `entity.target.id` | `rule.id` | `data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.id IS NOT NULL` | high | **column-level preserve** (`entity.target.id IS NOT NULL`); **vendor fallback** — triggered signature ID |
+| `entity.target.name` | `dns.question.name` | `data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.question.name IS NOT NULL` | high | **column-level preserve** (`entity.target.name IS NOT NULL`); **vendor fallback** — queried RR name (Pass 3; not resolver `destination.ip`) |
+| `entity.target.name` | `rule.name` | `data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL` | high | **vendor fallback** — signature artifact on alerts |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `rule.name` | `data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL` | high | **column-level preserve** (`event.action IS NOT NULL`); **vendor fallback** — signature verb (Pass 3 Example 1–2); absent in fixtures today |
+| `event.action` | `dns.type` | `data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.type IS NOT NULL` | medium | **vendor fallback** — `query` / `answer` (`test-eve-dns-4-1-4.log-expected.json`) |
+| `event.action` | `http.request.method` | `data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "http" AND http.request.method IS NOT NULL` | medium | **vendor fallback** — HTTP access verb |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` omits `user.*` and `service.*` — no IAM principal; `user_agent.*` is client software. `target_exists` checks official `*.target.*` columns only (ingest does not populate them today). **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so one populated sibling column does not block fallbacks on empty columns (Pass 4 §10).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(host.ip IS NOT NULL, host.ip, source.ip, null)` (4 args — `source.ip` is a **condition**, not a value). Wrong: `CASE(actor_exists, host.ip, source.ip, null)` (4 args — `source.ip` parses as condition). Right: **3-arg** `CASE(event.action IS NOT NULL, event.action, rule.name)` or **5-arg** `CASE(host.ip IS NOT NULL, host.ip, data_stream.dataset == "suricata.eve" AND source.ip IS NOT NULL, source.ip, null)` or **7-arg** hostile override + default `null`.
+
+```esql
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip"), TO_STRING(destination.ip),
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    null
+  ),
+  host.id = CASE(
+    host.id IS NOT NULL, host.id,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip"), TO_STRING(destination.ip),
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    null
+  ),
+  host.mac = CASE(
+    host.mac IS NOT NULL, host.mac,
+    data_stream.dataset == "suricata.eve" AND source.mac IS NOT NULL, source.mac,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.type IS NOT NULL, dns.type,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "http" AND http.request.method IS NOT NULL, http.request.method,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "suricata.eve" AND destination.domain IS NOT NULL, destination.domain,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "suricata.eve" AND network.protocol IS NOT NULL, network.protocol,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.id IS NOT NULL, rule.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL, rule.name,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = host.target.ip IS NOT NULL OR host.target.name IS NOT NULL OR service.target.name IS NOT NULL OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip"), TO_STRING(destination.ip),
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    null
+  ),
+  host.id = CASE(
+    host.id IS NOT NULL, host.id,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND MV_CONTAINS(suricata.eve.alert.hostile, "dest_ip"), TO_STRING(destination.ip),
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND source.ip IS NOT NULL, TO_STRING(source.ip),
+    null
+  ),
+  host.mac = CASE(
+    host.mac IS NOT NULL, host.mac,
+    data_stream.dataset == "suricata.eve" AND source.mac IS NOT NULL, source.mac,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.type IS NOT NULL, dns.type,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "http" AND http.request.method IS NOT NULL, http.request.method,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "suricata.eve" AND event.kind != "metric" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "suricata.eve" AND destination.domain IS NOT NULL, destination.domain,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "suricata.eve" AND network.protocol IS NOT NULL, network.protocol,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.id IS NOT NULL, rule.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "suricata.eve" AND suricata.eve.event_type == "dns" AND dns.question.name IS NOT NULL, dns.question.name,
+    data_stream.dataset == "suricata.eve" AND event.kind == "alert" AND rule.name IS NOT NULL, rule.name,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.kind, event.action, host.ip, host.id, host.mac, host.target.ip, host.target.name, service.target.name, entity.target.id, entity.target.name, rule.name, network.protocol
+```
+
+### Streams excluded
+
+- **`suricata.eve` where `event.kind == "metric"`** (EVE `event_type: stats`) — engine performance counters under `suricata.eve.stats.*`; no flow endpoints or per-event actor/target/action.
+
+### Gaps and limitations
+
+- **No `user.*` actor** — `user_agent.original` is client software, not IAM principal; columns intentionally omitted.
+- **IPS disposition not in `event.action` fallback** — vendor `alert.action` maps to `event.type` (`allowed`/`denied`) at ingest and is removed post-pipeline; `MV_FIRST(event.type)` is a poor verb substitute — prefer ingest mapping to `event.action`.
+- **`suricata.eve.alert.hostile`** — keyword array; only `src_ip` hostile in Tier A metadata fixture; `MV_CONTAINS(..., "dest_ip")` branch unverified in-repo.
+- **DNS direction** — resolver appears as `destination.*:53` on queries; `dns.question.name` is the semantic target (Pass 3); `host.target.ip` remains resolver peer.
+- **`fileinfo` targets** — `file.path` / `file.hash.*` not wired; extend `entity.target.*` when file-centric graphs needed.
+- **`host.target.port`** — `destination.port` indexed but omitted (not in mandatory column set).
+- **`observer.*`** — Suricata sensor when `forwarded` tag present; not traffic actor or target.
+- **`entity.target.type` / `entity.target.sub_type`** — omitted; stream-level `CASE` routing suffices; never emit `target.entity.type` or `actor.entity.type`.
+- **Pass 2 enhancement alignment** — ingest-time `host.target.*` ← `destination.*` and `event.action` ← IPS disposition remain preferred; Pass 4 fills gaps without overwriting populated values.
+- **Column-level preserve (§10)** — `actor_exists` / `target_exists` / `action_exists` are query-time helpers only; mapped columns use `<col> IS NOT NULL` as the first `CASE` branch so `entity.target.name` from `rule.name` does not block `host.target.ip` ← `destination.ip`. No `CASE(col, col, …)` fallback branches — `host.*` / `*.target.*` are not ingest-populated today; only vendor/ECS peer fields appear in fallbacks.
+- **Pass 4 CASE syntax** — all `CASE` use odd-arity defaults (`null`) or paired `(boolean, value)` branches only; column-level **3-arg** / **5-arg** / **7-arg** / **9-arg** preserve (`<col> IS NOT NULL`, not `CASE(actor_exists, <col>, …)` or `CASE(target_exists, <col>, …)`). Never **4-arg** `CASE(<col> IS NOT NULL, <col>, bare_field, null)` or `CASE(actor_exists, host.ip, source.ip, null)` (bare field parses as a condition). Full pipeline fragment aligned with combined `EVAL` blocks (hostile override, multi-fallback `event.action` / `entity.target.name` chains).
diff --git a/dev/domain/p1/sysdig.md b/dev/domain/p1/sysdig.md
new file mode 100644
index 00000000000..3e9e9fdea84
--- /dev/null
+++ b/dev/domain/p1/sysdig.md
@@ -0,0 +1,597 @@
+# sysdig
+
+## Product Domain
+
+Sysdig is a cloud-native security platform built on deep container and Kubernetes visibility. Its core technology captures system calls and other telemetry from hosts, containers, and serverless workloads to provide runtime threat detection, forensics, and operational monitoring. Sysdig Secure extends this foundation with cloud security posture management (CSPM), Kubernetes security posture management (KSPM), vulnerability management, and compliance benchmarking across AWS, Azure, GCP, and hybrid environments.
+
+Runtime protection is powered by Falco-compatible policies that detect suspicious process activity, container escapes, credential access, network anomalies, and MITRE ATT&CK–mapped behaviors at the syscall and workload level. Sysdig also ingests cloud audit logs (CloudTrail, GCP Audit Logs, Azure Platform Logs), identity events (Okta), and GitHub activity for agentless threat detection, and supports admission-controller and Kubernetes audit integrations for policy enforcement at deploy time.
+
+From a security operations perspective, Sysdig is a unified CNAPP (Cloud-Native Application Protection Platform) control plane for container and cloud estates. Security teams use it to detect runtime threats in Kubernetes and container workloads, assess cloud misconfigurations against compliance frameworks, prioritize image and host vulnerabilities across pipeline/registry/runtime stages, and correlate alerts with rich workload context (pod, namespace, cluster, image, process tree). Its telemetry is a primary signal for SIEM correlation, threat hunting, vulnerability prioritization, and compliance reporting in cloud-native environments.
+
+## Data Collected (brief)
+
+The integration collects Sysdig logs via Elastic Agent **HTTP Endpoint** (webhook) and **CEL/API** inputs (regional Next Gen and Current APIs, OAuth via API token). Four data streams cover the main Sysdig Secure log types:
+
+| Data stream | Description |
+|---|---|
+| **alerts** | Runtime and policy alerts pushed via webhook—Falco rule matches, process/container context, Kubernetes labels, cloud metadata, MITRE tags, severity, and policy details |
+| **event** | Security events from the Next Gen API—runtime detections (syscall/Falco), cloud audit (CloudTrail, GCP, Azure), identity (Okta), GitHub, admission-controller, and profiling events with process, container, and orchestrator context |
+| **cspm** | CSPM compliance results from the Current API—control pass/fail status, severity, resource kind, benchmark policy, remediation metadata, and zone-scoped posture counts |
+| **vulnerability** | Vulnerability scan results from the Next Gen API (pipeline, registry, or runtime stage)—image/host metadata, package-vulnerability pairs, CVE/CVSS/EPSS, exploitability, risk accepts, and policy evaluation outcomes |
+
+Events are mapped to ECS fields (process, container, cloud, orchestrator, rule, vulnerability) where applicable, with vendor-specific details retained under `sysdig.*`. Bundled Kibana dashboards visualize security events, alerts, vulnerability findings, and CSPM compliance posture.
+
+## Expected Audit Log Entities
+
+Sysdig Secure does not export a dedicated platform audit log (no console login or API-mutation stream in this integration). The four data streams are **security detections** (`alerts`, `event`), **posture state** (`cspm`), and **vulnerability findings** (`vulnerability`). Runtime syscall/Falco alerts and the Next Gen `event` API carry the richest actor context (OS user, process tree, host, container, Kubernetes). Agentless cloud-audit detections (CloudTrail, GCP Audit Logs, Azure Platform Logs, Okta, GitHub) appear in `event` and webhook `alerts` with principal hints in `message` and vendor `sysdig.*.content.fields.*`, but many cloud principals are not mapped to `user.*`. **No ECS `*.target.*` fields are populated** (`dev/target-fields-audit/out/target_fields_audit.csv` — no rows for this package). **No `destination.user.*` or `destination.host.*` mapping** exists in any pipeline (`destination_identity_hits.csv` — sysdig not listed). Target-fields audit classifies this package as **`moderate_candidate`** with **`fixture_strong=true`** but no pipeline actor/destination identity flags (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is absent** on all four streams — not present in any `sample_event.json`, `*-expected.json`, or ingest pipeline (`grep event.action` across `packages/sysdig/` returns only `sysdig.event.actions`, a different field). Detection streams carry operation semantics in vendor syscall fields (`evt.type`), cloud API names (`aws.event_name`), and Falco rule names (`rule.name`), but none are copied to `event.action`. CSPM and vulnerability streams are state/finding snapshots with no per-event audit verb.
+
+Evidence: `packages/sysdig/data_stream/*/sample_event.json`, `data_stream/*/_dev/test/pipeline/*-expected.json`, ingest pipelines `alerts/default.yml`, `event/default.yml`, `cspm/default.yml`, `vulnerability/default.yml`.
+
+### Event action (semantic)
+
+Sysdig records **what triggered a detection** (syscall, cloud API call, policy match) and **what Sysdig did in response** (capture), but does not normalize either into ECS `event.action`.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `execve` | detection | high | `sysdig.event.content.fields.evt.type` in `test-event.log-expected.json` (six runtime events); `evt.type=execve` in `message`/`sysdig.content.output` on **`alerts`** fixtures | Underlying Falco/syscall — process execution |
+| `open` | detection | high | `evt.type: open` in "Clear Log Activities" fixture (`test-event.log-expected.json`) | File access syscall on `/var/log/enforcer_testjob.log` |
+| `dup2` | detection | high | `evt.type=dup2` in **`alerts`** `message`/`output` (reverse-shell fixtures in `test-sysdig.log-expected.json`) | Stdout/stdin redirect — vendor-only on **`alerts`** (not in structured `content.fields`) |
+| `DescribeInstances` | api_call | moderate | `rule.name: Describe Instances` on CloudTrail alert (`test-sysdig.log-expected.json`; `event.provider: aws_cloudtrail`); mirrors AWS API name | Agentless cloud-audit detection — API name only in `rule.name`, not `aws.event_name` on **`alerts`** |
+| `User Management Event Detected` | detection | high | `rule.name` ← `ruleName` on runtime alert (`test-sysdig.log-expected.json`, `alerts/sample_event.json`) | Falco rule / policy match label — security framing, not syscall name |
+| `Clear Log Activities` | detection | high | `rule.name` in `test-event.log-expected.json` | Notable-events policy rule name |
+| `capture` | administration | high | `sysdig.event.actions[].type: capture` in `test-event.log-expected.json` | **Sysdig platform response** (forensic capture), not the detected workload action — do not conflate with `event.action` |
+| *(no per-event action)* | — | high | `event.kind: state` on **`cspm`**; static `event.category: [configuration]`, `event.type: [info]` (`cspm/default.yml` L298–309) | Posture evaluation snapshot — control pass/fail, not an audit verb |
+| *(no per-event action)* | — | high | `event.category: [vulnerability]`, `event.type: [info]` on **`vulnerability`** (`vulnerability/default.yml` L528–535) | Vulnerability finding document — scan stage (`registry`, `runtime`, `pipeline`) is scope, not action |
+
+Do not substitute `event.provider` (`syscall`, `aws_cloudtrail`), `sysdig.event.category` (`runtime`, `remote`), `sysdig.event.type` (`policy`), or `event.category`/`event.type` for `event.action` — they classify event source or ECS taxonomy, not the operation performed.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | no | Not set in any pipeline or fixture |
+| `sysdig.event.content.fields.evt.type` | no | n/a | `execve`, `open` | yes | Vendor syscall name in **`event`** fixtures; retained under vendor namespace (`fields.yml` evt subtree); **`event`** pipeline uses `evt.res` for `event.outcome` only (L321–330) |
+| `sysdig.content.fields.evt.type` / `message` `evt.type=` | no | n/a | `execve`, `dup2` | yes | On **`alerts`**, syscall type appears in `message`/`sysdig.content.output` text only — webhook fixture `content.fields` lacks `evt` keys (`test-sysdig.log-expected.json`) |
+| `rule.name` ← `ruleName` / `rule_name` | no (maps to `rule.name`) | partial | `User Management Event Detected`, `Describe Instances`, `Clear Log Activities`, `Redirect STDOUT/STDIN to Network Connection in Container` | yes | `alerts/default.yml` L77–78; `event/default.yml` L763–771; populated on all detection fixtures — good **detection-action** candidate but conflates Falco rule label with syscall/API verb |
+| `sysdig.event.content.fields.aws.event_name` | no | n/a | *(no CloudTrail fixture)* | yes | Renamed from `eventName` (`event/default.yml` L214–216); canonical CloudTrail API name when agentless cloud events are ingested via **`event`** |
+| `sysdig.event.actions[].type` | no | n/a | `capture` | no | Platform forensic response (`event/default.yml` L49–119 → `sysdig.event.actions`); not the detected event action |
+| `event.provider` ← `sysdig.source` | no (maps to `event.provider`) | n/a | `syscall`, `aws_cloudtrail` | no | Event **source** channel, not operation verb (`alerts/default.yml` L28–30, `event/default.yml` L1366–1369) |
+| `event.outcome` ← `evt.res` | no (maps to `event.outcome`) | yes | `success`, `failure` | no | Result of syscall (`SUCCESS`/`FAILURE`) — outcome, not action (`event/default.yml` L321–330) |
+| `event.category` / `event.type` | yes (static/conditional) | partial | `process`, `configuration`, `vulnerability`; `info` | no | ECS taxonomy enrichment — not substitutes for `event.action` |
+| `rule.name` ← `sysdig.cspm.control.name` | no (maps to `rule.name`) | partial | `IAM - Defined Users MFA (AWS)` | no | CSPM control identity — posture check label, not audit verb (`cspm/default.yml` L391+) |
+| `sysdig.cspm.name` | no (maps to `message`) | n/a | `1.10 Ensure multi-factor authentication (MFA) is enabled…` | no | Benchmark requirement text on **`cspm`** — compliance reference, not action |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `alerts` | no | no | `rule.name` (detection label); alternate: parse `evt.type` from `message`/`sysdig.content.output` | high / moderate | `rule.name` populated on all fixtures; syscall type text-only (`execve`, `dup2`) in `message` |
+| `event` | no | no | `sysdig.event.content.fields.evt.type` (runtime); `sysdig.event.content.fields.aws.event_name` (cloud audit) | high / moderate | Structured `evt.type` in six runtime fixtures; `aws.event_name` pipeline support without fixture |
+| `cspm` | no | no | *(none — state snapshot)* | high | `event.kind: state`; no vendor operation field |
+| `vulnerability` | no | no | *(none — finding snapshot)* | high | `event.category: vulnerability`; scan stage is metadata |
+
+**Recommended enhancement (detection streams):** Copy `sysdig.event.content.fields.evt.type` → `event.action` for runtime **`event`** records; copy `sysdig.event.content.fields.aws.event_name` → `event.action` for cloud-audit **`event`** records; for **`alerts`**, prefer `rule.name` → `event.action` (structured) with optional `evt.type` extraction from `message` as secondary. Keep `rule.name` populated separately — it names the **detection rule**, which differs semantically from the underlying syscall/API verb.
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Local OS user (runtime) | user | — | high | `user.name`, `user.id`, `user.group.*` ← `sysdig.content.fields.user.*` (`alerts/default.yml`) or `sysdig.event.content.fields.user.*` (`event/default.yml`); `root`/`0` in `alerts/sample_event.json`, `test-sysdig.log-expected.json`, all six runtime fixtures in `test-event.log-expected.json` | **`alerts`**, **`event`** (`event.provider: syscall`) |
+| Offending / parent process | general | process | high | `process.name`, `process.executable`, `process.command_line`, `process.pid`, `process.parent.*` (up to four ancestor levels); `sh`/`bash`/`userdel` in `test-event.log-expected.json`; `pname`/`gparent` text in `message` | **`alerts`**, **`event`** — process initiating the suspicious syscall |
+| Workload node | host | — | high | `host.name`, `host.hostname`, `host.id`, `host.mac`; `related.hosts` ← labels or `sysdig.machineId`/`sysdig.hostMac` (`alerts/default.yml`, `event/default.yml`); GKE node names in all runtime samples | **`alerts`**, **`event`** |
+| Sysdig agent | general | agent | moderate | `agent.id` ← `sysdig.agentId` (`alerts/default.yml`); `58014837` in `test-sysdig.log-expected.json` | **`alerts`** — collector identity, not the security principal |
+| CloudTrail / agentless principal (alerts) | user | — | moderate | Principal named in `message` only (e.g. `requesting user=AutoScaling`); **not** mapped to `user.name` (`test-sysdig.log-expected.json`; `event.provider: aws_cloudtrail`, `sysdig.source: aws_cloudtrail`) | **`alerts`** only for CloudTrail fixture; no `source.ip` mapping |
+| Cloud audit principal (event API) | user | — | moderate | `sysdig.event.content.fields.aws.user`, `ct.user.value`, `ct.user.accountid`, `sysdig.event.labels.cloud_provider.user` → `related.user` only (`event/default.yml`); pipeline supports but **no CloudTrail/Okta/GitHub fixture** in tests | **`event`** when `event.provider` is `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `okta`, `github` |
+| Cloud audit source endpoint | host | — | low | `sysdig.event.labels.source.ip` → `source.ip`/`related.ip` when valid IP (`event/default.yml`); `aws.source_ip`/`ct.srcip` → `related.ip` only; CloudTrail alert origin in `message` text (`autoscaling.amazonaws.com`) | **`event`** (labels); **`alerts`** (message text only) |
+| CSPM evaluator | service | — | high | Automated posture scan — `observer.vendor: Sysdig`, `observer.product: Sysdig Secure`; `event.kind: state` (`cspm/sample_event.json`, `test-cspm.log-expected.json`) | **`cspm`** — no human actor |
+| Vulnerability scanner | service | — | high | `vulnerability.scanner.vendor: Sysdig Secure`; stage in `sysdig.vulnerability.stage` (`registry`, `runtime`, `pipeline` in `test-vulnerability.log-expected.json`) | **`vulnerability`** |
+| Image maintainer (build metadata) | user | — | low | `user.name`/`user.domain` dissected from `metadata.labels.maintainer` (`vulnerability/default.yml`); `"NGINX Docker Maintainers"` in `sample_event.json` — build metadata, not scan actor | **`vulnerability`** |
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.name`, `user.id`, `user.group.id`, `user.group.name` | Local OS user on runtime detection | yes | yes | high | ← `sysdig.content.fields.user.*` (`alerts/default.yml:187-193`) or `sysdig.event.content.fields.user.*` (`event/default.yml:656-676`); `root`/`0` in fixtures |
+| `process.*`, `process.parent.*` | Offending process and ancestor chain | yes | yes | high | ← `proc.*` fields (`alerts/default.yml:155-181`, `event/default.yml:471-633`); full tree in `test-event.log-expected.json` |
+| `host.name`, `host.hostname`, `host.id`, `host.mac` | Workload node | yes | yes | high | ← `sysdig.labels.host.hostName`, `sysdig.machineId`, `sysdig.hostMac` (`alerts/default.yml:115-133`, `event/default.yml:1205-1244`) |
+| `agent.id` | Sysdig agent | yes | partial | moderate | ← `sysdig.agentId` (`alerts/default.yml:110-113`); collector ID, not security principal |
+| `related.user` | Enrichment array for cloud principals | yes | partial | moderate | Appends `aws.user`, `ct.user.value`, `ct.user.accountid`, `labels.cloud_provider.user`, `user.loginname`, `user.loginuid`, `user.name`, `user.uid` (`event/default.yml:237-682`); aggregates actor hints but does not distinguish actor vs target |
+| `source.ip` | Cloud-audit request origin | yes (event) | yes | moderate | ← `sysdig.event.labels.source.ip` (`event/default.yml:1287-1291`); not mapped in **`alerts`** pipeline |
+| `related.ip` | Source / flow IP enrichment | yes | partial | moderate | ← `aws.source_ip`, `ct.srcip`, `fd.sip`, `labels.source.ip`, sequence `source_ip_address` (`event/default.yml`); network context, not always actor |
+| `related.hosts` | Hostname enrichment | yes | partial | moderate | ← `labels.host.host_name`, `ct.request.host` (`event/default.yml:280-285`, `1219-1224`) |
+| `cloud.account.id`, `cloud.provider`, `cloud.region`, `cloud.instance.*` | Cloud placement of runtime workload | yes | n/a | moderate | Scope context from labels (`alerts/default.yml:208-262`, `event/default.yml:1045-1203`); not the actor |
+| `observer.vendor`, `observer.product` | Sysdig Secure platform | yes | yes | high | Static `Sysdig` / `Sysdig Secure` (`event/default.yml:33-40`, `cspm/default.yml:347-355`, `vulnerability/default.yml:547-555`) |
+| `sysdig.content.fields.user.*` / `sysdig.event.content.fields.user.*` | Vendor OS user (canonical) | yes (vendor) | n/a | high | Source for ECS `user.*`; duplicated fields removed post-map (`event/default.yml:1429-1430`) |
+| `sysdig.event.content.fields.aws.user`, `.aws.source_ip` | CloudTrail principal / source | yes (vendor) | n/a | moderate | `aws.user` also in `related.user`; no ECS `user.name` copy (`event/default.yml:237-242`) |
+| `sysdig.event.content.fields.ct.user.*`, `.ct.srcip` | GCP/Azure/Okta ct.* principal | yes (vendor) | n/a | moderate | → `related.user`/`related.ip` only; not in current test fixtures |
+| `sysdig.cspm.control.authors` | Control metadata author string | yes (vendor) | n/a | low | `"Sysdig"` in `test-cspm.log-expected.json` — rule metadata, not acting principal |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Invoked cloud API or identity platform | AWS CloudTrail / EC2 API | service | — | moderate | `event.provider: aws_cloudtrail`; action in `message` ("EC2 instance has been requested", `DescribeInstances` implied); account `414773805239` in `test-sysdig.log-expected.json` | **`alerts`**, **`event`** — agentless cloud-audit detections; `gcp_auditlog`, `azure_platformlogs`, `okta`, `github` supported per `fields.yml` but not fixture-covered |
+| 2 — Resource / object | Container/workload under attack | Container / pod | general | container | high | `container.name`, `container.id`, `orchestrator.resource.name`, `container.image.name`; `threatgen`, `shell-scripting`, `cadvisor` in tests | **`alerts`**, **`event`** (runtime) |
+| 2 — Resource / object | Node / host path acted upon | Host / mount path | host | — | moderate | `host.name`; sensitive mounts in `sysdig.event.content.fields.container.mounts` and `message` ("Launch Sensitive Mount Container" in `test-event.log-expected.json`) | **`event`** |
+| 2 — Resource / object | Local account under modification | OS / IAM user account | user | — | moderate | Account in process args/message (`userdel tmp_suid_user` → `proc.args`/`message` in `test-sysdig.log-expected.json`); CSPM `resource_kind: AWS_USER` in posture tests | **`alerts`**, **`event`** (runtime); **`cspm`** (resource class) |
+| 2 — Resource / object | File or FD opened/tampered | File on disk | general | file | moderate | `sysdig.event.content.fields.fd.name` (e.g. `/var/log/enforcer_testjob.log` in "Clear Log Activities" test); **not** mapped to `file.path` | **`event`** |
+| 2 — Resource / object | CSPM evaluated resource class | Cloud / K8s / host resource type | general | cloud-resource | high | `sysdig.cspm.control.resource_kind` — `AWS_USER`, `AWS_LAMBDA_FUNCTION`, `microsoft.web/sites`, `storage.googleapis.com/Bucket/IAM_POLICY`, `host`, etc. (`test-cspm.log-expected.json`) | **`cspm`** — aggregate counts only; per-resource IDs via `resource_api_endpoint` URL |
+| 2 — Resource / object | CSPM platform scope | Cloud provider / OS target | general | cloud-platform | high | `sysdig.cspm.control.target` — `AWS`, `Azure`, `GCP`, `OCI`, `Linux`, `Kubernetes`, `Windows`, `Docker` (`test-cspm.log-expected.json`) | **`cspm`** — vendor field named `target`; posture scope, not ECS target |
+| 2 — Resource / object | Vulnerable asset (image or host) | Container image / VM | general | container-image / host | high | `sysdig.vulnerability.asset_type: containerImage`; `resource.id`/`resource.name`, `host.*`, `cloud.*`, `orchestrator.*` for runtime stage (`vulnerability/default.yml`, `test-vulnerability.log-expected.json`) | **`vulnerability`** |
+| 2 — Resource / object | Vulnerable package on asset | Software package | general | software-package | high | `package.name`, `package.version`, `package.path` (e.g. `golang.org/x/net` at `/usr/bin/ctr`) | **`vulnerability`** |
+| 3 — Content / artifact | Detection rule / compliance control | Falco rule / CIS control | general | detection-rule | high | `rule.name`, `rule.ruleset`, `rule.description`, `rule.benchmark.name`; MITRE → `threat.technique.*` ("User Management Event Detected", CIS AWS controls in tests) | **`alerts`**, **`event`**, **`cspm`** |
+| 3 — Content / artifact | CVE finding | Vulnerability record | general | vulnerability | high | `vulnerability.id`/`vulnerability.cve` (e.g. `CVE-2023-45322`); CVSS under `vulnerability.score.*` | **`vulnerability`** |
+| 3 — Content / artifact | Encoded shell / network peer in cmdline | Script payload / remote endpoint | general | script_payload | low | Base64 shell and `0.0.0.0:1337` connect strings in `process.command_line`/`message` (`test-event.log-expected.json`); `fd.sip` → `related.ip` only | **`event`** |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `event.provider` | 1 | service | yes | yes | `service.target.name` | yes | ← `sysdig.source` / `sysdig.event.source`; `aws_cloudtrail`, `syscall`, etc. (`alerts/default.yml:29-30`, `event/default.yml:1366-1369`); identifies invoked platform for agentless detections |
+| `container.id`, `container.name`, `container.image.name`, `container.image.hash.all` | 2 | general | yes | yes | `entity.target.id` / `entity.target.name` | yes | Workload under attack (`alerts/default.yml:135-145`, `event/default.yml:243-265`); `threatgen`, `shell-scripting` in fixtures |
+| `orchestrator.cluster.name`, `orchestrator.namespace`, `orchestrator.resource.name` | 2 | general | yes | yes | `entity.target.id` | yes | Kubernetes pod scope (`alerts/default.yml:264-278`, `event/default.yml:1246-1274`); `threatgen-c65cf6446-5s8kk` in tests |
+| `host.name`, `host.hostname` | 2 | host | yes | partial | `host.target.name` | yes | Node hosting the workload — semantically the attacked host, but mapped as generic `host.*` not `host.target.*` |
+| `cloud.account.id`, `cloud.provider`, `cloud.region`, `cloud.instance.*` | — | general | yes | n/a | context-only | no | Cloud placement context (`alerts/default.yml:208-262`); scope, not explicit target entity |
+| `sysdig.event.content.fields.fd.name` | 3 | general | yes (vendor) | n/a | context-only | yes | File path target (e.g. `/var/log/enforcer_testjob.log`); vendor-only — **not** mapped to `file.path` |
+| `sysdig.event.content.fields.container.mounts` | 2 | host | yes (vendor) | n/a | `host.target.name` | yes | Sensitive mount list in runtime events; vendor-only |
+| `sysdig.event.content.fields.aws.event_name` | 2 | general | yes (vendor) | n/a | `entity.target.name` | yes | Cloud API action name; retained under vendor namespace (`fields.yml`); CloudTrail alert action in `message` only for **`alerts`** |
+| `sysdig.event.content.resource_kind`, `.resource_name` | 2 | general | yes (vendor) | n/a | `resource.type` / `resource.name` | yes | Renamed from JSON content (`event/default.yml:753-760`); admission/K8s events — not mapped to ECS `resource.*` |
+| `sysdig.cspm.control.resource_kind` | 2 | general | yes (vendor) | n/a | `resource.type` | yes | Evaluated resource class (`AWS_USER`, `host`, etc. in `test-cspm.log-expected.json`); listed in `vendor_target_special_cases.csv` |
+| `sysdig.cspm.control.target` | 2 | general | yes (vendor) | n/a | context-only | yes | Platform scope (`AWS`, `GCP`, `Kubernetes`, …); vendor field named `target` but posture boundary, not per-resource identity |
+| `sysdig.cspm.zone.name` | — | general | yes (vendor) | n/a | context-only | no | Assessment zone boundary (e.g. `"Entire Infrastructure"`) |
+| `resource.id`, `resource.name` | 2 | general | yes | yes | `entity.target.id` / `entity.target.name` | yes | ← `sysdig.vulnerability.scope.*` (`vulnerability/default.yml:821-826`); runtime/host-scoped findings |
+| `host.*` (vulnerability) | 2 | host | yes | yes | `host.target.name` | yes | Vulnerable host metadata from scan scope (`vulnerability/default.yml:557-616`) |
+| `package.name`, `package.version`, `package.path` | 2 | general | yes | yes | context-only | no | Vulnerable package on asset — finding detail, not the primary audit target |
+| `vulnerability.id`, `vulnerability.cve`, `vulnerability.score.*` | 3 | general | yes | yes | context-only | no | CVE record on the asset |
+| `rule.name`, `rule.id`, `rule.benchmark.name`, `rule.description` | 3 | general | yes | yes | context-only | no | Detection/compliance rule that fired |
+| `sysdig.vulnerability.package.vulnerability.risk_accepts[].entity_type` / `.entity_value` | 2 | general | yes (vendor) | n/a | `entity.target.name` | yes | Risk-accept exception scope (e.g. `imageName: nginx:latest` in tests) |
+| `related.ip` (`fd.sip`, encoded cmdline peers) | 3 | host | yes | partial | context-only | no | Network peer hints; `related.ip` only — ambiguous actor vs target |
+
+### Gaps and mapping notes
+
+- **`event.action` gap on all streams:** No pipeline maps vendor operation fields to `event.action`. Best candidates: **`event`** runtime → `sysdig.event.content.fields.evt.type` (`execve`, `open`); **`event`** cloud audit → `sysdig.event.content.fields.aws.event_name`; **`alerts`** → `rule.name` (structured) or `evt.type` parsed from `message` (text-only). `sysdig.event.actions.type: capture` is Sysdig's forensic response — not a candidate for `event.action`. Do not map `event.provider`, `event.category`, or `event.type` as action substitutes.
+- **No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`** — target-fields audit confirms zero official target fields; enhancement priority is **`moderate_candidate`** with strong fixtures but no pipeline destination-identity mappings.
+- **No `destination.user.*` or `destination.host.*`** anywhere in the package — sysdig absent from `destination_identity_hits.csv`. Do not expect de-facto target user/host under `destination.*`.
+- **Cloud audit principals on `alerts`** appear only in `message` text (`requesting user=AutoScaling`); the alerts pipeline does not map to `user.*` or `source.ip`. The **`event`** pipeline maps cloud principals to `related.user` only — enhancement candidate for `user.id`/`user.name` from `sysdig.event.content.fields.aws.user` and `ct.user.*`.
+- **`related.user` conflates actor and enrichment** — OS user (`user.name`), login UID, and cloud principals all append to the same array; cannot distinguish actor from target user without field-level logic.
+- **`host.name` on runtime events** identifies the node hosting the workload (context for both actor-side process execution and target-side attacked host) — semantically overloaded; `host.target.name` would clarify target role.
+- **`sysdig.cspm.control.target`** is a vendor posture-scope field (AWS/GCP/K8s platform), not an ECS target entity — listed in `vendor_target_special_cases.csv` as `entity_target_generic`.
+- **CSPM per-resource IDs** are not inline — only `objects_count` aggregates and `resource_api_endpoint` URLs; individual failing resources require a separate API call.
+- **File targets** (`fd.name`) and **K8s admission resources** (`resource_kind`/`resource_name`) remain vendor-only — best enhancement sources for `file.path` and `resource.*`.
+- **Image maintainer → `user.name`** on vulnerability events is build metadata dissected from OCI labels, not the scan actor — do not treat as security principal.
+- **`agent.id` / `observer.*`** represent Sysdig collector/platform identity, not the event actor or target.
+
+### Per-stream notes
+
+#### `alerts` (webhook)
+
+Webhook-delivered runtime and agentless detections. Runtime (`event.provider: syscall`) maps OS user and process actor to ECS; CloudTrail alert (`event.provider: aws_cloudtrail`) carries principal in `message` only. **`event.action` absent** — primary action candidate is `rule.name` (e.g. `User Management Event Detected`, `Describe Instances`); syscall type (`execve`, `dup2`) appears only in `message`/`sysdig.content.output` text. Primary targets are the container/pod (`container.*`, `orchestrator.*`) and implied cloud API action (Layer 1 via `event.provider`).
+
+#### `event` (Next Gen API)
+
+Superset of detection types including runtime syscall, cloud audit, Okta, GitHub, admission-controller. Richest pipeline: full `process.*` tree, `source.ip` from labels, cloud principals in `related.user`. Six runtime fixtures in `test-event.log-expected.json`; no CloudTrail/Okta/GitHub fixtures. **`event.action` absent** — structured `sysdig.event.content.fields.evt.type` (`execve`, `open`) is the best runtime candidate; `aws.event_name` supported in pipeline for cloud audit. `sysdig.event.content.fields.fd.name` holds file-target paths; `resource_kind`/`resource_name` for K8s admission events stay vendor-only. `sysdig.event.actions[].type: capture` records Sysdig forensic capture metadata.
+
+#### `cspm` (Current API)
+
+Posture **state** events (`event.kind: state`), not per-action audit. **Service** actor (Sysdig scanner). **No per-event action** — `rule.name` identifies the compliance control (`IAM - Defined Users MFA (AWS)`), not an operation verb. Targets are resource **classes** (`control.resource_kind`) and platform scope (`control.target`), not individual resource IDs. Compliance control → `rule.*`.
+
+#### `vulnerability` (Next Gen API)
+
+Automated scan findings. **Service** actor (`vulnerability.scanner.vendor`). **No per-event action** — `event.category: vulnerability` classifies the document; `sysdig.vulnerability.stage` (`registry`, `runtime`, `pipeline`) is scan scope. Primary target is the vulnerable asset (`resource.*`, `host.*`, `container.image.*`, `orchestrator.*` by stage). Package and CVE are finding details on that asset. Optional `user.name` from image maintainer label is build metadata only.
+
+## Example Event Graph
+
+Examples below come from the **`event`** (Next Gen API) and **`alerts`** (webhook) detection streams. These are runtime and agentless **security detections**, not Sysdig console audit logs. **`event.action` is absent** on all fixtures — actions are derived from vendor syscall or rule fields. The **`cspm`** and **`vulnerability`** streams are posture/finding state snapshots with no per-event Actor → action → Target chain.
+
+### Example 1: Runtime shell execution in container
+
+**Stream:** `sysdig.event` · **Fixture:** `packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log-expected.json`
+
+```
+OS user root → execve → container shell-scripting
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 0 |
+| name | root |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id` (`sysdig.event.content.fields.user.uid`)
+- `name` ← `user.name` (`sysdig.event.content.fields.user.name`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | execve |
+| source_field | `sysdig.event.content.fields.evt.type` |
+| source_value | execve |
+
+**Not mapped to ECS `event.action` today.**
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | shell-scripting-abcdef12-12345 |
+| name | shell-scripting |
+| type | general |
+| sub_type | container |
+
+**Field sources:**
+- `id` ← `orchestrator.resource.name`
+- `name` ← `container.name` (`sysdig.event.content.fields.container.name`)
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: root"] --> E["execve"]
+  E --> T["Target: shell-scripting"]
+```
+
+### Example 2: User account deletion in workload
+
+**Stream:** `sysdig.alerts` · **Fixture:** `packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log-expected.json`
+
+```
+OS user root → userdel → local account (tmp_suid_user)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 0 |
+| name | root |
+| type | user |
+
+**Field sources:**
+- `id` ← `sysdig.content.fields.user.uid`
+- `name` ← `sysdig.content.fields.user.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | userdel |
+| source_field | `sysdig.content.fields.proc.name` |
+| source_value | userdel |
+
+**Not mapped to ECS `event.action` today.** Falco rule `User Management Event Detected` (`rule.name`) wraps this syscall; container `threatgen` is runtime scope, not the acted-upon account.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | tmp_suid_user |
+| type | user |
+| sub_type | local_account |
+
+**Field sources:**
+- `name` ← `sysdig.content.fields.proc.cmdline` (`userdel tmp_suid_user`); also in `message` (`proc.args=tmp_suid_user`)
+
+**Scope context (not target):** container `threatgen` (`container.id: 6949e5f10829`, `orchestrator.resource.name: threatgen-c65cf6446-5s8kk`); parent process `pwsh` in `message`.
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: root"] --> E["userdel"]
+  E --> T["Target: tmp_suid_user"]
+```
+
+### Example 3: CloudTrail EC2 describe call
+
+**Stream:** `sysdig.alerts` · **Fixture:** `packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log-expected.json`
+
+```
+IAM principal AutoScaling → Describe Instances → AWS EC2 API
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | AutoScaling |
+| type | user |
+| sub_type | service_account |
+
+**Field sources:**
+- `name` ← `message` (`requesting user=AutoScaling`) — principal not mapped to `user.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Describe Instances |
+| source_field | `rule.name` |
+| source_value | Describe Instances |
+
+**Not mapped to ECS `event.action` today.**
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 414773805239 |
+| name | aws_cloudtrail |
+| type | service |
+| sub_type | cloud_api |
+
+**Field sources:**
+- `id` ← `cloud.account.id` (`sysdig.labels.cloudProvider.account.id`)
+- `name` ← `event.provider` (`sysdig.source: aws_cloudtrail`) — EC2 `DescribeInstances` implied in `message`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: AutoScaling"] --> E["Describe Instances"]
+  E --> T["Target: AWS EC2 API"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (Elastic Agent HTTP endpoint + CEL/API). Router: **`data_stream.dataset`** (`sysdig.alerts`, `sysdig.event`, `sysdig.cspm`, `sysdig.vulnerability` from `manifest.yml`). **`sysdig.event`** and **`sysdig.alerts`** are security detections with runtime OS-user actors and container/cloud targets; **`sysdig.cspm`** and **`sysdig.vulnerability`** are automated scanner posture/finding snapshots. No ECS `*.target.*` fields are populated at ingest today — Pass 4 is fill-gaps-only enrichment. Detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`), not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — e.g. populated `service.name` must not block `user.id` ← `sysdig.content.fields.user.uid` on **`sysdig.alerts`**. `actor_exists` uses the standard user/host/service/entity predicate (not `process.*`); runtime **`sysdig.alerts`** may need vendor `sysdig.content.fields.user.*` fallback when ECS `user.*` is absent in fixtures. **ES|QL `CASE` arity:** arguments are **(condition, value)** pairs; odd count → last arg is default — not **4-arg** `CASE(col IS NOT NULL, col, vendor_field, null)` (3rd arg is a **condition**, not fallback). **Pass 4 (tautology cleanup):** no `CASE(col, col, …)` fallback branches — **`sysdig.event`** runtime `user.id` / `user.name` and **`host.name` / `host.id`** on detection streams are **ingest-only — no ES|QL** (`event/default.yml`, `alerts/default.yml`); **`sysdig.alerts`** keeps vendor `sysdig.content.fields.user.*` only when indexed `user.*` is empty.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `sysdig.event` | runtime / cloud detections (Next Gen API) | user, host | general (container, file), host, service | full |
+| `sysdig.alerts` | webhook detections | user, host | general (container), service | full |
+| `sysdig.cspm` | posture state (Current API) | service | general (resource class) | partial |
+| `sysdig.vulnerability` | CVE findings (Next Gen API) | service | general (asset), host | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` | `data_stream.dataset == "sysdig.event" AND event.provider == "syscall"` | high | **ingest-only — no ES\|QL** — `sysdig.event.content.fields.user.uid` → `user.id` at ingest |
+| `user.id` | `sysdig.content.fields.user.uid` | `data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall"` | medium | **vendor fallback** when `user.id` empty — `sample_event.json` may omit ECS `user.*` |
+| `user.name` | `user.name` | `data_stream.dataset == "sysdig.event" AND event.provider == "syscall"` | high | **ingest-only — no ES\|QL** — `sysdig.event.content.fields.user.name` → `user.name` at ingest |
+| `user.name` | `sysdig.content.fields.user.name` | `data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall"` | medium | **vendor fallback** when `user.name` empty |
+| `host.name` | `host.name` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts")` | high | **ingest-only — no ES\|QL** — labels / `sysdig.machineId` at ingest |
+| `host.id` | `host.id` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts")` | high | **ingest-only — no ES\|QL** |
+| `host.ip` | `source.ip` | `data_stream.dataset == "sysdig.event" AND source.ip IS NOT NULL` | medium | cloud-audit request origin (`event/default.yml`) |
+| `service.name` | `"Sysdig Secure"` | `data_stream.dataset IN ("sysdig.cspm", "sysdig.vulnerability")` | high | **semantic literal** — scanner actor |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.id` | `container.id` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.id IS NOT NULL` | high | workload under attack |
+| `entity.target.id` | `orchestrator.resource.name` | `data_stream.dataset == "sysdig.event" AND container.id IS NULL AND orchestrator.resource.name IS NOT NULL` | high | pod scope when `container.id` absent (Example 1) |
+| `entity.target.id` | `resource.id` | `data_stream.dataset == "sysdig.vulnerability"` | high | vulnerable asset scope |
+| `entity.target.id` | `cloud.account.id` | `data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail"` | high | cloud account scope (Example 3) |
+| `entity.target.name` | `container.name` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.name IS NOT NULL` | high | pass-through / fixture |
+| `entity.target.name` | `sysdig.content.fields.container.name` | `data_stream.dataset == "sysdig.alerts" AND container.name IS NULL` | medium | **vendor fallback** |
+| `entity.target.name` | `orchestrator.resource.name` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND orchestrator.resource.name IS NOT NULL` | high | K8s pod name |
+| `entity.target.name` | `sysdig.event.content.fields.fd.name` | `data_stream.dataset == "sysdig.event" AND sysdig.event.content.fields.fd.name IS NOT NULL` | high | file path target ("Clear Log Activities") |
+| `entity.target.type` | `"container"` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND (container.id IS NOT NULL OR container.name IS NOT NULL)` | high | classification helper |
+| `entity.target.type` | `sysdig.cspm.control.resource_kind` | `data_stream.dataset == "sysdig.cspm"` | high | evaluated resource class (`AWS_USER`, …) |
+| `entity.target.type` | `"container-image"` / `"host"` | `data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "containerImage"` / `== "host"` | high | asset type discriminator |
+| `host.target.name` | `host.name` | `data_stream.dataset IN ("sysdig.event", "sysdig.vulnerability") AND host.name IS NOT NULL` | medium | attacked / vulnerable host |
+| `service.target.name` | `event.provider` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND event.provider == "aws_cloudtrail"` | high | cloud API platform (Example 3 — not self-referential actor) |
+| `service.target.id` | `cloud.account.id` | `data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail" AND cloud.account.id IS NOT NULL` | high | ties service target to account |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `sysdig.event.content.fields.evt.type` | `data_stream.dataset == "sysdig.event" AND event.provider == "syscall"` | high | runtime syscall (`execve`, `open`) |
+| `event.action` | `sysdig.event.content.fields.aws.event_name` | `data_stream.dataset == "sysdig.event" AND event.provider == "aws_cloudtrail"` | medium | pipeline support; no CloudTrail fixture |
+| `event.action` | `rule.name` | `data_stream.dataset IN ("sysdig.event", "sysdig.alerts")` | high | detection label / Falco rule name |
+| `event.action` | `process.name` | `data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall" AND process.name IS NOT NULL` | medium | syscall verb when `rule.name` is generic (e.g. `userdel`) |
+
+### Detection flags (mandatory — run first)
+
+`actor_exists` omits `process.*` so cloud-audit alerts without ECS `user.*` still qualify for vendor-less gaps. No indexed `*.target.*` today — `target_exists` is typically false until ingest enhancement. **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so one populated sibling column does not block fallbacks on empty columns (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall", sysdig.content.fields.user.uid,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall", sysdig.content.fields.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "sysdig.event" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset IN ("sysdig.cspm", "sysdig.vulnerability"), "Sysdig Secure",
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "sysdig.event" AND event.provider == "syscall" AND sysdig.event.content.fields.evt.type IS NOT NULL, sysdig.event.content.fields.evt.type,
+    data_stream.dataset == "sysdig.event" AND event.provider == "aws_cloudtrail" AND sysdig.event.content.fields.aws.event_name IS NOT NULL, sysdig.event.content.fields.aws.event_name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall" AND process.name IS NOT NULL, process.name,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.id IS NOT NULL, container.id,
+    data_stream.dataset == "sysdig.event" AND orchestrator.resource.name IS NOT NULL, orchestrator.resource.name,
+    data_stream.dataset == "sysdig.vulnerability", resource.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail", cloud.account.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.name IS NOT NULL, container.name,
+    data_stream.dataset == "sysdig.alerts" AND sysdig.content.fields.container.name IS NOT NULL, sysdig.content.fields.container.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND orchestrator.resource.name IS NOT NULL, orchestrator.resource.name,
+    data_stream.dataset == "sysdig.event" AND sysdig.event.content.fields.fd.name IS NOT NULL, sysdig.event.content.fields.fd.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND (container.id IS NOT NULL OR container.name IS NOT NULL), "container",
+    data_stream.dataset == "sysdig.cspm", sysdig.cspm.control.resource_kind,
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "containerImage", "container-image",
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "host", "host",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.vulnerability") AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND event.provider == "aws_cloudtrail", event.provider,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail" AND cloud.account.id IS NOT NULL, cloud.account.id,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall", sysdig.content.fields.user.uid,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall", sysdig.content.fields.user.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "sysdig.event" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset IN ("sysdig.cspm", "sysdig.vulnerability"), "Sysdig Secure",
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "sysdig.event" AND event.provider == "syscall" AND sysdig.event.content.fields.evt.type IS NOT NULL, sysdig.event.content.fields.evt.type,
+    data_stream.dataset == "sysdig.event" AND event.provider == "aws_cloudtrail" AND sysdig.event.content.fields.aws.event_name IS NOT NULL, sysdig.event.content.fields.aws.event_name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND rule.name IS NOT NULL, rule.name,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "syscall" AND process.name IS NOT NULL, process.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.id IS NOT NULL, container.id,
+    data_stream.dataset == "sysdig.event" AND orchestrator.resource.name IS NOT NULL, orchestrator.resource.name,
+    data_stream.dataset == "sysdig.vulnerability", resource.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail", cloud.account.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND container.name IS NOT NULL, container.name,
+    data_stream.dataset == "sysdig.alerts" AND sysdig.content.fields.container.name IS NOT NULL, sysdig.content.fields.container.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND orchestrator.resource.name IS NOT NULL, orchestrator.resource.name,
+    data_stream.dataset == "sysdig.event" AND sysdig.event.content.fields.fd.name IS NOT NULL, sysdig.event.content.fields.fd.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND (container.id IS NOT NULL OR container.name IS NOT NULL), "container",
+    data_stream.dataset == "sysdig.cspm", sysdig.cspm.control.resource_kind,
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "containerImage", "container-image",
+    data_stream.dataset == "sysdig.vulnerability" AND sysdig.vulnerability.asset_type == "host", "host",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.vulnerability") AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("sysdig.event", "sysdig.alerts") AND event.provider == "aws_cloudtrail", event.provider,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "sysdig.alerts" AND event.provider == "aws_cloudtrail" AND cloud.account.id IS NOT NULL, cloud.account.id,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.provider, event.action, user.id, user.name, host.ip, service.name, entity.target.id, entity.target.name, host.target.name, service.target.name
+```
+
+### Streams excluded
+
+- None — all four datasets receive at least partial extraction. **`sysdig.cspm`** does not populate per-resource IDs (only `sysdig.cspm.control.resource_kind` class + platform scope).
+
+### Gaps and limitations
+
+- **Cloud audit actor on `sysdig.alerts`** — principal only in `message` (`requesting user=AutoScaling`); no `user.name` fallback without regex parse.
+- **`user.target.*` for account-management events** — `tmp_suid_user` is in `proc.cmdline` / `message` only (Example 2); omit `user.target.name` until ingest maps `proc.args`.
+- **`related.user` conflation** on **`sysdig.event`** — not used as actor or target source.
+- **`sysdig.event.actions[].type: capture`** — Sysdig forensic response; excluded from `event.action`.
+- **Image maintainer → `user.name` on `sysdig.vulnerability`** — build metadata from OCI labels; excluded from actor EVAL.
+- **`sysdig.cspm.control.target`** — posture platform scope (`AWS`, `Kubernetes`), not per-resource ECS target identity.
+- **CloudTrail `aws.event_name` on `sysdig.event`** — pipeline field exists; no fixture — medium confidence only.
+- **Pass 4 tautology cleanup** — `user.id` / `user.name` on **`sysdig.event`** and `host.name` / `host.id` on detection streams are ingest-only; actor `EVAL` keeps **`sysdig.alerts`** vendor `sysdig.content.fields.user.*`, `host.ip` ← `source.ip`, and scanner `service.name` literal only.
+- **Pass 4 CASE syntax** — mapped columns use column-level `IS NOT NULL` preserve (not `CASE(actor_exists, …)` / `CASE(target_exists, …)`); detection flags remain for documentation and optional downstream filters.
diff --git a/dev/domain/p1/tanium.md b/dev/domain/p1/tanium.md
new file mode 100644
index 00000000000..1349c2827d6
--- /dev/null
+++ b/dev/domain/p1/tanium.md
@@ -0,0 +1,564 @@
+# tanium
+
+## Product Domain (Tanium endpoint management)
+
+Tanium is an enterprise endpoint management and security platform that gives IT and security teams real-time visibility and control over endpoints at scale—from laptops and servers to cloud workloads. The platform uses a distributed architecture built around Tanium Clients installed on managed endpoints and a central Tanium Server that coordinates questions, actions, and reporting across the fleet. Unlike traditional polling-based management tools, Tanium's linear chain model propagates queries and results peer-to-peer, enabling sub-minute visibility across millions of endpoints with minimal infrastructure.
+
+Core capabilities span endpoint inventory and health monitoring, software deployment and patching, configuration management, asset discovery, and integrated security modules such as Tanium Threat Response for detection and response. Administrators define packages and actions to run commands or deploy software on targeted endpoint groups; sensor data and client status reflect whether endpoints are registered, communicating, and healthy. Tanium Connect exports platform data to external destinations (HTTP, TCP, AWS S3) in JSON format, enabling downstream SIEM and analytics pipelines.
+
+From a security operations perspective, Tanium telemetry supports endpoint fleet visibility, change auditing, threat detection correlation, and investigation of endpoint activity. Security teams use action history to audit administrative operations, client status to monitor agent health and connectivity, Discover data to track managed and unmanaged assets, endpoint configuration changes for compliance, reporting for inventory summaries, and Threat Response events for detections with process, file, and intel match context.
+
+The Elastic Tanium integration ingests Tanium Connect exports via Elastic Agent using TCP, HTTP endpoint, AWS S3 polling, or AWS S3/SQS notification modes. Events are normalized into ECS-aligned fields with vendor-specific details under `tanium.*`, and bundled Kibana dashboards cover each data stream.
+
+## Data Collected (brief)
+
+The integration collects Tanium Connect JSON logs into six data streams:
+
+- **Action History** (`tanium.action_history`): Records of Tanium actions/packages deployed to endpoints—action ID and name, issuer, approver, command line, package name, status, and start/expiration timestamps.
+- **Client Status** (`tanium.client_status`): Tanium client registration and connectivity state per endpoint—hostname, computer ID, client version, leader/follower status, TLS registration, network locations, and last registration time.
+- **Discover** (`tanium.discover`): Asset discovery records for managed and unmanaged hosts—IP/MAC addresses, hostname, OS, open ports, discovery method flags (ARP, ping, nmap, AWS API), managed/unmanageable status, and Tanium computer ID.
+- **Endpoint Config** (`tanium.endpoint_config`): Audit events for endpoint configuration changes—action type (e.g., created/updated), config item domain/category/ID, manifest revisions, and acting user.
+- **Reporting** (`tanium.reporting`): Inventory/reporting snapshots per computer—hostname, OS platform and version, hardware manufacturer/model, virtualization details, and count metrics.
+- **Threat Response** (`tanium.threat_response`): Security detection and response events—event name/ID, severity/priority, affected host, user context, and rich match details including process trees, file hashes, intel/threat IDs, and recorder activity.
+
+All streams support ingestion via **TCP**, **HTTP endpoint**, **AWS S3**, or **AWS S3/SQS** (default S3 bucket prefixes: `action_history`, `client_status`, `discover`, `endpoint_config`, `reporting`, `threat_response`).
+
+## Expected Audit Log Entities
+
+Tanium Connect exports span six data streams that mix **administrative audit records** (`action_history`, `endpoint_config`), **endpoint state/inventory snapshots** (`client_status`, `discover`, `reporting`), and **security detections / TR platform events** (`threat_response`). Only the first two plus parts of `threat_response` carry explicit acting principals; the inventory streams describe managed or discovered endpoints without naming who initiated the Connect export. The integration maps actors and subjects to ECS where pipelines support it; most Tanium-specific identifiers remain under `tanium.*`.
+
+**No ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*` fields are populated** (`dev/target-fields-audit/out/target_fields_audit.csv` — no rows for this package). The package does **not** use `destination.user.*` or `destination.host.*` de-facto targets (absent from `destination_identity_hits.csv`). Target-fields audit classifies this package as **`moderate_candidate`** with **`pipeline_actor=true`**, **`pipeline_entity_other=true`**, and **`fixture_strong=true`** (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**Event action:** `event.action` is populated on **`action_history`**, **`endpoint_config`**, and **TR DB-style rows** on `threat_response` (`create`, `update`, `throttle`). It is **absent** on `threat_response` detection/alert exports (`detect.unmatch`, alert rows), and on all three inventory/state streams (`client_status`, `discover`, `reporting`). Primary gaps: `Event Name` on TR detection exports and `Other Parameters` signal `name` are not copied to `event.action`.
+
+Evidence: all six `packages/tanium/data_stream/*/sample_event.json` files; pipeline fixtures `test-action-history.log-expected.json`, `test-client-status.log-expected.json`, `test-discover.log-expected.json`, `test-endpoint-config.log-expected.json`, `test-reporting.log-expected.json`, `test-threat-response.log-expected.json`, `test-new-default.log-expected.json`, `test-deep.log-expected.json`, `test-match-details-empty-map-value.log-expected.json`; ingest pipelines under `data_stream/*/elasticsearch/ingest_pipeline/`.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| Deploy Tanium action/package | administration | high | `event.action`: `Deploy Client Configuration and Support [Mac](universal)` ← `ActionName` (`action_history/sample_event.json`; `default.yml` L79–83) | Action **name** used as verb — describes what was deployed, not lifecycle state |
+| Endpoint config audit created | configuration_change | high | `event.action`: `AUDIT_ACTION_CREATED` ← `json.action` (`endpoint_config/sample_event.json`, `test-endpoint-config.log-expected.json`; `default.yml` L56–60) | Clearest audit-style action label in the integration |
+| TR DB row created | administration | high | `event.action`: `create` ← `json.action` on `LiveConnection` row (`test-threat-response.log-expected.json`; `default.yml` L109–113) | CRUD verb on TR platform table exports |
+| TR DB row updated | administration | high | `event.action`: `update` (`test-threat-response.log-expected.json`) | Same pipeline path as `create` |
+| TR DB row throttled | administration | moderate | `event.action`: `throttle` (`test-threat-response.log-expected.json`) | Rate-limit / throttle operation on TR table |
+| Detection event (unmatch) | detection | high | `tanium.threat_response.event.name`: `detect.unmatch` — **not** mapped to `event.action` (`test-threat-response.log-expected.json`, `sample_event.json`; `default.yml` L264–267) | Vendor event type is the natural action candidate |
+| Service intel detection | detection | high | `tanium.threat_response.event.name`: `detect.service.intel.created`, `detect.service.intel.modified` (`test-threat-response.log-expected.json`) | Not copied to `event.action` |
+| Signal/rule name (Other Parameters) | detection | moderate | `Other Parameters` kv `name=Netsh WLAN Discovery`, `Windows Remote Access Dialer Proxy Execution` in detection fixtures | Human-readable detection title; vendor-only under `tanium.threat_response.other_parameters.name` |
+| Intel alert raised | detection | moderate | Alert export sets `event.kind: alert` with `Intel Name` / `Intel Type: openioc` but no `event.action` (`test-new-default.log-expected.json`) | Alert/intel match — no operation verb mapped |
+| Client leader/follower status | — | moderate | `tanium.client_status.value`: `Leader` (`client_status/sample_event.json`; `default.yml` L33–36) | State snapshot — not a per-event operation |
+| Asset discovery record | — | low | `discover` exports asset state (`Managed: 1`, discovery-method flags) with no action field | Inventory sync — no meaningful per-event action |
+| Reporting inventory snapshot | — | low | `reporting` periodic hardware/OS snapshot with no action field | Inventory sync — no meaningful per-event action |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | yes (3 streams / TR DB rows) | partial | varies per stream (see per-stream table) | no | Populated on `action_history`, `endpoint_config`, TR DB rows only |
+| `tanium.action_history.action.name` / `json.ActionName` | yes (via `event.action`) | partial | `Deploy Client Configuration and Support [Mac](universal)` | no | `copy_from` at `action_history/default.yml` L79–83; action **name** not deployment verb |
+| `tanium.action_history.status` / `json.Status` | no | n/a | `Closed` | no | Lifecycle state, not operation verb (`action_history/default.yml` L99–103) |
+| `tanium.endpoint_config.action` / `json.action` | yes (via `event.action`) | yes | `AUDIT_ACTION_CREATED` | no | `endpoint_config/default.yml` L56–60; third fixture omits `action` → no `event.action` |
+| `tanium.threat_response.action` / `json.action` | yes (via `event.action`) | yes | `create`, `update`, `throttle` | no | `threat_response/default.yml` L109–113; DB-style exports only |
+| `tanium.threat_response.event.name` / `json.Event Name` | no | n/a | `detect.unmatch`, `detect.service.intel.created`, `detect.service.intel.modified` | **yes** | Renamed only (`default.yml` L264–267); primary candidate for detection exports |
+| `tanium.threat_response.other_parameters.name` | no | n/a | `Netsh WLAN Discovery`, `InfDefaultInstall Proxy Execution` | yes | Parsed from `Other Parameters` kv (`default.yml` L340–346); signal display name |
+| `tanium.threat_response.intel_name` / `json.Intel Name` | no | n/a | `ELK - Linux Test ALert 2 /tmp/iambadvirus.vrs` | yes | Alert export action/intel label (`test-new-default.log-expected.json`) |
+| `tanium.client_status.value` / `json.Status` | no | n/a | `Leader` | no | Client role state — not an audit operation (`client_status/default.yml` L33–36) |
+| `event.type` | no | n/a | `info` (all streams) | no | Static event class — do not substitute for `event.action` |
+| `event.category` | no | n/a | `host` (where set) | no | Category on audit streams — not operation verb |
+
+**Per-stream action check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `action_history` | yes | yes | `tanium.action_history.action.name` ← `ActionName` | high | `sample_event.json`; `default.yml` L79–83 |
+| `endpoint_config` | yes (when `action` present) | yes | `tanium.endpoint_config.action` ← `json.action` | high | `AUDIT_ACTION_CREATED` in fixtures; third fixture lacks `action` |
+| `threat_response` | yes (DB rows only) | yes | `tanium.threat_response.action` (DB); **`tanium.threat_response.event.name`** (detections/alerts) | high | `create`/`update`/`throttle` vs absent on `detect.unmatch` / alert fixtures |
+| `client_status` | no | no | none — state snapshot (`tanium.client_status.value`) | moderate | `sample_event.json`; no pipeline mapping |
+| `discover` | no | no | none — asset inventory sync | low | `sample_event.json`; no action field in vendor JSON |
+| `reporting` | no | no | none — inventory snapshot | low | `sample_event.json`; no action field in vendor JSON |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Action issuer | user | — | high | `Issuer` → `tanium.action_history.issuer` and `event.provider` (`action_history/default.yml`); fixture: `tanium` (`test-action-history.log-expected.json`, `sample_event.json`). Tanium console account that created/deployed the action. | **`action_history`** only — username string; correlate with Tanium RBAC outside Elastic |
+| Action approver | user | — | high | `Approver` → `tanium.action_history.approver`; fixture: `tanium`. Secondary approval principal when workflow requires it. | **`action_history`** only — not mapped to ECS `user.*` |
+| Endpoint config auditor | user | — | high | `user.user_id` → `user.id`, `related.user`, `tanium.endpoint_config.user.id`; `persona_id` vendor-only (`endpoint_config/default.yml`); fixtures: user ID `8` on `AUDIT_ACTION_CREATED` (`test-endpoint-config.log-expected.json`, `sample_event.json`). | **`endpoint_config`** — clearest admin-audit stream; third fixture lacks `action` but still has `user.id` |
+| Threat Response console operator | user | — | high | `userId`/`userName` → `user.id`/`user.name`, `related.user` (`threat_response/default.yml`); fixture: `tanium` (ID `5`) creating a `LiveConnection` record (`test-threat-response.log-expected.json`). | **`threat_response`** DB-style rows (`table`, `action`, `state`) — not detection exports |
+| Endpoint logged-on user (detection context) | user | — | low | `User Domain`/`User Name`/`User Id` → `user.domain`/`user.name`/`user.id` when populated (`threat_response/default.yml`); `detect.unmatch` fixture has empty `User Id`/`User Name` with only `user.domain: xyz`; `detect.service.intel.*` fixtures populate `user.id: 1`, `user.name: tanium`. | **`threat_response`** detection exports — endpoint session or service-account context, not the analyst who triaged the alert |
+| Acting process user (recorder/signals) | user | — | moderate | Process tree under `tanium.threat_response.match_details.finding.whats[].artifact_activity.acting_artifact.process.user.*` (e.g. `root`/`0` in `detect.unmatch` fixtures); normalized from nested `user.user.*` in `match_details_whats.yml`. Not promoted to ECS `user.*`. | **`threat_response`** — runtime process owner inside decoded match payloads |
+| Tanium Server (connectivity peer) | general | tanium-server | moderate | `ServerNetworkLocation` → `server.ip`, `related.ip` (`client_status/default.yml`); fixture: `81.2.69.192`. Infrastructure endpoint the client registers with — not a human actor. | **`client_status`** only |
+
+`client_status`, `discover`, and `reporting` carry no initiating user or service principal — they are fleet visibility exports. `detect.unmatch` events may have empty user fields aside from `user.domain`.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `tanium.action_history.issuer` | Action creator (canonical vendor actor) | yes (vendor) | n/a | high | ← `Issuer` (`action_history/default.yml`); fixture `tanium` |
+| `event.provider` | Copy of issuer username | yes | partial | moderate | `copy_from: tanium.action_history.issuer` (`action_history/default.yml`); ECS provider names the event source system, not the human actor — semantically overloaded |
+| `tanium.action_history.approver` | Approval principal | yes (vendor) | n/a | high | ← `Approver`; fixture `tanium`; no ECS `user.*` mapping |
+| `user.id` | Config auditor or TR operator / endpoint user | yes | partial | high | ← `user.user_id` (`endpoint_config/default.yml`); ← `userId` or `User Id` (`threat_response/default.yml`); same ECS field conflates admin actor and endpoint session user depending on event type |
+| `user.name` | TR operator or endpoint user | yes | partial | high | ← `userName` or `User Name` (`threat_response/default.yml`); `tanium` on LiveConnection and `detect.service.intel.*` fixtures |
+| `user.domain` | Endpoint logon domain | yes | yes | moderate | ← `User Domain` (`threat_response/default.yml`); `xyz` on `detect.unmatch` fixture |
+| `related.user` | Enrichment array | yes | partial | high | Appends `user.id`/`user.name` (`endpoint_config/default.yml`, `threat_response/default.yml`); does not distinguish actor vs endpoint-context user |
+| `tanium.endpoint_config.user.persona_id` | Tanium persona for config auditor | yes (vendor) | n/a | high | ← `persona_id`; fixture `0`; not mapped to ECS |
+| `tanium.endpoint_config.user.id` | Config auditor (vendor copy) | yes (vendor) | n/a | high | Also copied to `user.id` |
+| `tanium.threat_response.user.id` / `.name` | TR operator or endpoint user (vendor copy) | yes (vendor) | n/a | high | Also copied to `user.id`/`user.name` when populated |
+| `tanium.threat_response.match_details.finding.whats[].artifact_activity.acting_artifact.process.user.*` | Process-tree user identity | yes (vendor) | n/a | moderate | Normalized in `match_details_whats.yml`; `root`/`0` in `detect.unmatch` fixture; not promoted to ECS `user.*` |
+| `client.ip` | Managed endpoint client IP | yes | n/a | high | ← `ClientNetworkLocation` (`client_status/default.yml`); endpoint network context, not an actor |
+| `server.ip` | Tanium Server registration peer | yes | n/a | moderate | ← `ServerNetworkLocation` (`client_status/default.yml`); infrastructure context |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Tanium module / solution scope | Tanium Endpoint Config solution | service | — | moderate | `module.solution_id` → `tanium.endpoint_config.module.solution_id`; fixture: `01-080-0332` | **`endpoint_config`** — solution/module context for config change |
+| 1 — Platform / cloud service | Threat Response platform domain | Tanium Threat Response | service | — | moderate | `finding.domain: threatresponse` under `tanium.threat_response.match_details.finding.*` (`test-new-default.log-expected.json`) | **`threat_response`** alerts/detections |
+| 2 — Resource / object | Deployed Tanium action / package | Tanium action | general | tanium-action | high | `ActionId`/`ActionName` → `tanium.action_history.action.*`; `PackageName`, `Status`, timestamps (`action_history/default.yml`); fixture action ID `6058` | **`action_history`** — targeted endpoint group implied, not named in export |
+| 2 — Resource / object | Endpoint configuration item | Config item | general | endpoint-config-item | high | `config_item.id`/`domain`/`data_category` → `tanium.endpoint_config.item.*` (`endpoint_config/default.yml`); fixture: `endpoint-config` / `tools` / ID `1` | **`endpoint_config`** |
+| 2 — Resource / object | Configuration manifest / saved actions | Config manifest | general | config-manifest | high | `manifest.windows_saved_action_id`, `non_windows_saved_action_id`, `revision`, `service_uuid`, `items[]` → `tanium.endpoint_config.manifest.*` | **`endpoint_config`** — links change to platform saved-action IDs |
+| 2 — Resource / object | Managed endpoint (client status) | Managed host | host | — | high | `HostName`/`ComputerId` → `host.name`/`host.id`; `ClientNetworkLocation` → `client.ip` (`client_status/default.yml`); fixture: `dhcp-client02.local` / `4008511043` | **`client_status`** — inventory/state subject |
+| 2 — Resource / object | Discovered / managed asset | Host asset | host | — | high | `HostName` → `host.name`; `IpAddress`/`MacAddress` → `source.ip`/`source.mac`; `TaniumComputerId` → `tanium.discover.computer_id` (`discover/default.yml`); fixture: `otelco7_46.test.local` | **`discover`** — managed vs unmanaged via `Managed`, discovery-method flags |
+| 2 — Resource / object | Inventory snapshot endpoint | Managed host | host | — | high | `Computer Name` → `host.name`; OS/hardware under `os.*` and `tanium.reporting.*` (`reporting/default.yml`); fixture: `localhost` | **`reporting`** — periodic inventory snapshot |
+| 2 — Resource / object | Affected endpoint (detection/alert) | Compromised / monitored host | host | — | high | `Computer Name`/`Computer IP` → `host.name`, `source.ip`, `tanium.threat_response.computer.*` (`threat_response/default.yml`); fixtures: `worker-2`, `hostname.example.com` | **`threat_response`** |
+| 2 — Resource / object | Live connection target host | Remote endpoint | host | — | high | Parsed `state.target.hostname`/`eid` → `host.name`, `tanium.threat_response.state.target.*` (`threat_response/default.yml`); fixture: `worker-2`, eid `3` | **`threat_response`** LiveConnection DB events |
+| 2 — Resource / object | Threat intel / hunt finding | Intel match | general | threat-intel | high | `intel_id`, `intel_name`, `intel_type`, `hunt_id`, `threat_id`, `finding.id` under `tanium.threat_response.match_details.finding.*` and top-level `tanium.threat_response.intel_*`; alert fixture: OpenIOC intel `715`, hunt `hunt:1000123` | **`threat_response`** |
+| 2 — Resource / object | TR alert record | Security alert | general | alert | high | `Alert Id` → `tanium.threat_response.alert_id`, `event.kind: alert` (`test-new-default.log-expected.json`); `Link` to Tanium console | **`threat_response`** |
+| 3 — Content / artifact | Action command line | Shell command | general | command | high | `Command` → `process.command_line` (`action_history/default.yml`); fixture deploy script | **`action_history`** |
+| 3 — Content / artifact | Matched file artifact | File on disk | general | file | high | `relevant_actions[].target.file.*` — path, hashes, size; hashes → `related.hash`; size → `file.size` (`match_details.yml`, `match_details_whats_actions.yml`); fixture: `/tmp/verybadvirus.vrs` | **`threat_response`** — primary detection artifact |
+| 3 — Content / artifact | Acting process (detection) | OS process | general | process | moderate | `acting_artifact.process` tree with `pid`, `arguments`, parent chain, `file.path`; `process.pid` from leaf only (`match_details.yml`); fixture: PID `43181` (`docker-untar`) on `worker-2` | **`threat_response`** — full tree vendor-only under `tanium.threat_response.match_details.*` |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `host.name` | 2 | host | yes | partial | `host.target.name` | **yes** | ← endpoint hostname across `client_status`, `discover`, `reporting`, `threat_response` pipelines; also ← `state.target.hostname` for LiveConnection; inventory subject and affected endpoint share one field — context-only today |
+| `host.id` | 2 | host | yes | partial | `host.target.id` | **yes** | ← `ComputerId` (`client_status/default.yml`); fixture `4008511043` |
+| `source.ip` | 2 | host | yes | partial | context-only | no | ← `IpAddress` (`discover/default.yml`) or `Computer IP` (`threat_response/default.yml`); endpoint IP identity, not a network-flow peer |
+| `source.mac` | 2 | host | yes | yes | context-only | no | ← `MacAddress` (`discover/default.yml`); fixture `00-00-5E-00-53-00` |
+| `client.ip` | 2 | host | yes | partial | `host.target.ip` | yes | ← `ClientNetworkLocation` (`client_status/default.yml`); managed client network location |
+| `tanium.discover.computer_id` | 2 | host | yes (vendor) | n/a | `host.target.id` | yes | Managed Tanium computer ID when `Managed: 1`; fixture `1558993994` |
+| `tanium.threat_response.computer.name` / `.ip` | 2 | host | yes (vendor) | n/a | `host.target.name` / `host.target.ip` | yes | Vendor copies also drive `host.name`/`source.ip` |
+| `tanium.threat_response.state.target.hostname` / `.eid` | 2 | host | yes (vendor) | n/a | `host.target.name` / `entity.target.id` | **yes** | Explicit TR live-response target; fixture `worker-2` / eid `3`; vendor `*target*` path flagged in `vendor_target_special_cases.csv` |
+| `tanium.threat_response.match_details.finding.whats[].artifact_activity.relevant_actions[].target.file.*` | 3 | general | yes (vendor) | n/a | `entity.target.id` | **yes** | File path, hashes, size; vendor `target.file` subtree; only `file.size` and `related.hash` partially promoted to ECS |
+| `file.size` | 3 | general | yes | partial | context-only | yes | `copy_from` first whats target file size (`match_details.yml`); single-value promotion from nested array |
+| `related.hash` | 3 | general | yes | yes | context-only | no | MD5/SHA1/SHA256 appended from target file hashes (`match_details_whats_actions.yml`) |
+| `process.pid` | 3 | general | yes | partial | context-only | yes | Leaf `acting_artifact.process.pid` only (`match_details.yml`); full process tree remains vendor-only |
+| `process.command_line` | 3 | general | yes | yes | context-only | no | ← action `Command` (`action_history/default.yml`) |
+| `tanium.action_history.action.id` / `.name` | 2 | general | yes (vendor) | n/a | `entity.target.id` | yes | Action definition target; fixture ID `6058` |
+| `tanium.action_history.package_name` | 2 | general | yes (vendor) | n/a | `entity.target.name` | yes | Deployed package name |
+| `tanium.endpoint_config.item.*` | 2 | general | yes (vendor) | n/a | `entity.target.id` | yes | Config item domain/category/ID |
+| `tanium.endpoint_config.manifest.*` | 2 | general | yes (vendor) | n/a | `entity.target.id` | yes | Saved-action IDs, revision, service UUID |
+| `tanium.endpoint_config.module.solution_id` | 1 | service | yes (vendor) | n/a | `service.target.name` | yes | Tanium solution scope |
+| `tanium.threat_response.intel_*`, `match_details.finding.hunt_id`, `.threat_id`, `.finding.id` | 2 | general | yes (vendor) | n/a | `entity.target.id` | yes | Threat intel and hunt identifiers |
+| `tanium.threat_response.alert_id` | 2 | general | yes (vendor) | n/a | `entity.target.id` | yes | Alert GUID; sets `event.kind: alert` |
+| `server.ip` | — | general | yes | n/a | context-only | no | Tanium Server peer on client registration — infrastructure context, not audit target |
+
+### Gaps and mapping notes
+
+- **No ECS `*.target.*` fields and no `destination.user.*` / `destination.host.*`** — target-fields audit confirms zero official target mappings; package is **`moderate_candidate`** with strong fixtures but vendor-heavy target identity under `tanium.*`.
+- **`event.action` gaps on `threat_response` detections/alerts** — `Event Name` (`detect.unmatch`, `detect.service.intel.*`) and signal `name` in `Other Parameters` are not mapped; only TR DB `json.action` (`create`/`update`/`throttle`) reaches `event.action`. Alert exports (`test-new-default.log-expected.json`) have no `event.action` despite `event.kind: alert`.
+- **`action_history` maps action name, not verb** — `ActionName` → `event.action` is semantically the deployed package/action label; `Status` (`Closed`) stays vendor-only and is lifecycle state, not an operation.
+- **`endpoint_config` without `action`** — third fixture has config/manifest/user but no `json.action`, so `event.action` is empty; user ID `8` still present.
+- **Inventory streams have no per-event action** — `client_status`, `discover`, and `reporting` are state/inventory sync; do not infer `event.action` from `Status` or `Managed` flags.
+- **`Issuer`/`Approver`** remain vendor-only (`tanium.action_history.*`); **`event.provider`** copies issuer username but ECS provider semantics describe the event source system, not the human actor — do not treat as canonical actor mapping.
+- **`user.id`/`user.name` conflation** on `threat_response`: same ECS fields hold TR console operators (`userId`/`userName` on LiveConnection rows), endpoint session users (`User Id`/`User Name` on detect exports), and service-account-style IDs (`user.id: 1` on `detect.service.intel.*`) — actor vs endpoint-context user requires `event.action`, `table`, and `Event Name` disambiguation.
+- **`host.name` overload** — used for inventory subjects (`client_status`, `discover`, `reporting`), detection affected hosts, and LiveConnection `state.target.hostname`; semantically a target in detection/inventory contexts but stored as generic `host.name`, not `host.target.*`.
+- **Process/file targets** in Threat Response stay largely under `tanium.threat_response.match_details.*`; only `process.pid`, `file.size`, and `related.hash` get partial ECS promotion — vendor `relevant_actions[].target.file.*` paths are the best enhancement source (`vendor_target_special_cases.csv`, 13 rows).
+- **`tanium.endpoint_config.user.persona_id`** and **`tanium.action_history.approver`** are unmapped admin identity — supplement with Tanium platform audit or identity integrations for full attribution.
+- **Action history** does not name targeted computer IDs or groups in the Connect export — endpoint scope lives in Tanium Server outside this integration.
+- **`related.user`** aggregates admin and endpoint user IDs without role distinction — useful for correlation, not actor/target separation.
+
+### Per-stream notes
+
+#### `action_history`
+
+Administrative audit of Tanium action deployment. **Action:** `event.action` ← `ActionName` (deployed action/package name). **Actors:** issuer and approver (vendor username strings). **Targets:** action definition (`tanium.action_history.action.*`), package name, and command line (`process.command_line`). No per-endpoint target identity in export payload.
+
+#### `client_status`
+
+Endpoint agent health/state snapshot (`event.kind: state`). **No `event.action`** — client role at `tanium.client_status.value` (`Leader`). **No actor.** **Target:** the managed endpoint at `host.name`/`host.id` with `client.ip` network context. `server.ip` is Tanium Server infrastructure peer, not an audit target.
+
+#### `discover`
+
+Asset discovery record (`event.kind: event`). **No `event.action`** — inventory sync. **No actor.** **Target:** discovered or managed host at `host.name` with `source.ip`/`source.mac`; `tanium.discover.computer_id` when managed. Discovery method flags (`arp`, `nmap`, `aws_api`, etc.) describe how the asset was found.
+
+#### `endpoint_config`
+
+Endpoint configuration change audit. **Action:** `event.action` ← `json.action` (e.g. `AUDIT_ACTION_CREATED`) when present. **Actor:** admin at `user.id` (vendor `user.user_id`). **Targets:** config item (`tanium.endpoint_config.item.*`), manifest/saved-action linkage (`tanium.endpoint_config.manifest.*`), Tanium solution module (`tanium.endpoint_config.module.solution_id`). Events without `action` still carry user ID (third test fixture).
+
+#### `reporting`
+
+Periodic inventory/reporting snapshot. **No `event.action`.** **No actor.** **Target:** endpoint at `host.name` with OS/hardware attributes under `os.*` and `tanium.reporting.*`.
+
+#### `threat_response`
+
+Richest stream — TR platform DB events, detections, and alerts. **Action:** `event.action` on DB rows (`create`/`update`/`throttle`); detection exports use `tanium.threat_response.event.name` (`detect.unmatch`, `detect.service.intel.*`) without ECS `event.action`; alerts set `event.kind: alert` only. **Two actor models:** TR console users on DB rows (`LiveConnection` → `user.id`/`user.name`) vs endpoint/runtime users in detection context (`User Domain`/`User Id`/`User Name`, plus process-tree users under `match_details`). **Targets:** affected host (`host.name`, `source.ip`), explicit live-response target (`tanium.threat_response.state.target.*`), file/process artifacts (`match_details.finding.whats[].*target*`), intel/hunt IDs, and alert records (`tanium.threat_response.alert_id`, `event.kind: alert`).
+
+## Example Event Graph
+
+Examples below come from **`action_history`**, **`endpoint_config`**, and **`threat_response`** — the three streams with explicit administrative or security-operation semantics. They are true audit records (`action_history`, `endpoint_config`) or audit-adjacent TR platform events and detections (`threat_response`). Inventory/state streams (`client_status`, `discover`, `reporting`) are periodic snapshots with no per-event actor or action and are omitted here.
+
+### Example 1: Admin deploys Tanium action package
+
+**Stream:** `tanium.action_history` · **Fixture:** `packages/tanium/data_stream/action_history/sample_event.json`
+
+```
+tanium (issuer) → Deploy Client Configuration and Support [Mac](universal) → Tanium action 6058
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | tanium |
+| name | tanium |
+| type | user |
+
+**Field sources:**
+- `id` ← `tanium.action_history.issuer` (also copied to `event.provider`)
+- `name` ← `tanium.action_history.issuer`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Deploy Client Configuration and Support [Mac](universal) |
+| source_field | `event.action` |
+| source_value | Deploy Client Configuration and Support [Mac](universal) |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 6058 |
+| name | Deploy Client Configuration and Support [Mac](universal) |
+| type | general |
+| sub_type | tanium-action |
+
+**Field sources:**
+- `id` ← `tanium.action_history.action.id`
+- `name` ← `tanium.action_history.action.name` (vendor maps `ActionName` to both `event.action` and action metadata — same string, distinct roles: operation label vs. action-definition target)
+- Package context ← `tanium.action_history.package_name` (same value in this fixture)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: tanium"] --> E["Deploy Client Configuration and Support [Mac](universal)"]
+  E --> T["Target: action 6058"]
+```
+
+### Example 2: Admin creates endpoint configuration item
+
+**Stream:** `tanium.endpoint_config` · **Fixture:** `packages/tanium/data_stream/endpoint_config/sample_event.json`
+
+```
+user 1 → AUDIT_ACTION_CREATED → endpoint-config item 9 (tools)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 1 |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id` ← `tanium.endpoint_config.user.id` ← vendor `user.user_id`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | AUDIT_ACTION_CREATED |
+| source_field | `event.action` |
+| source_value | AUDIT_ACTION_CREATED |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 9 |
+| name | endpoint-config / tools |
+| type | general |
+| sub_type | endpoint-config-item |
+
+**Field sources:**
+- `id` ← `tanium.endpoint_config.item.id`
+- `name` ← `tanium.endpoint_config.item.domain`, `tanium.endpoint_config.item.data_category` (`endpoint-config`, `tools`)
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: user 1"] --> E["AUDIT_ACTION_CREATED"]
+  E --> T["Target: config item 9"]
+```
+
+### Example 3: TR operator opens live connection to endpoint
+
+**Stream:** `tanium.threat_response` · **Fixture:** `packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-threat-response.log-expected.json` (first event, `LiveConnection` row)
+
+```
+tanium (user 5) → create → worker-2
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 5 |
+| name | tanium |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id` ← `tanium.threat_response.user.id`
+- `name` ← `user.name` ← `tanium.threat_response.user.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | create |
+| source_field | `event.action` |
+| source_value | create |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 3 |
+| name | worker-2 |
+| type | host |
+
+**Field sources:**
+- `id` ← `tanium.threat_response.state.target.eid`
+- `name` ← `host.name` ← `tanium.threat_response.state.target.hostname`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: tanium (5)"] --> E["create"]
+  E --> T["Target: worker-2"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, six `data_stream/` directories with Tier A fixtures: `sample_event.json`, `*-expected.json`, ingest pipelines). Router: **`data_stream.dataset`** (`tanium.action_history`, `tanium.client_status`, `tanium.discover`, `tanium.endpoint_config`, `tanium.reporting`, `tanium.threat_response` per `sample_event.json`). Secondary discriminator on **`tanium.threat_response`**: **`tanium.threat_response.table IS NOT NULL`** (TR DB rows vs detection/alert exports). Pass 4 is **fill-gaps-only**: detection flags run first for query semantics; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …, null)` — not `CASE(actor_exists, user.name, …)` / `CASE(target_exists, host.target.name, …)` when ingest `user.id` or another `*.target.*` column satisfies the flag while the output column is still empty (Pass 4 §10). No ECS `*.target.*` at ingest today — fallbacks promote vendor action/config/TR fields to `entity.target.*` and `host.target.*`. Inventory/state streams excluded (Pass 3: no per-event Actor → action → Target graph).
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Wrong: `CASE(user.name IS NOT NULL, user.name, tanium.action_history.issuer, null)` (4 args — `issuer` is a **condition**). Right: **5-arg** `CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "tanium.action_history", tanium.action_history.issuer, null)`. Do not use **4-arg** `CASE(actor_exists, user.name, tanium.action_history.issuer, null)` — `actor_exists` is true from ingest `user.id` on `endpoint_config` / TR DB rows while `user.name` on `action_history` is still empty.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `tanium.action_history` | admin action deploy audit | user | general (action definition) | full |
+| `tanium.endpoint_config` | endpoint config change audit | user | general (config item) | full |
+| `tanium.threat_response` | TR DB / detection / alert | user | host / general | partial |
+| `tanium.client_status` | client health snapshot | — | — | none |
+| `tanium.discover` | asset discovery inventory | — | — | none |
+| `tanium.reporting` | hardware/OS inventory snapshot | — | — | none |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.name` | `user.name` | `data_stream.dataset == "tanium.action_history"` | high | **preserve existing** |
+| `user.name` | `tanium.action_history.issuer` | `data_stream.dataset == "tanium.action_history"` | high | **vendor fallback** — fixture: `tanium`; do not use `event.provider` (semantically overloaded) |
+| `user.id` | `user.id` | `data_stream.dataset == "tanium.endpoint_config"` | high | **ingest-only — no ES\|QL** — pipeline copies `tanium.endpoint_config.user.id` → `user.id` (fixture: `8`) |
+| `user.id` | `user.id` | `data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.table IS NOT NULL` | high | **ingest-only — no ES\|QL** — pipeline copies `tanium.threat_response.user.id` → `user.id` (fixture: `5` on LiveConnection) |
+| `user.name` | `user.name` | `data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.table IS NOT NULL` | high | **ingest-only — no ES\|QL** — pipeline copies `tanium.threat_response.user.name` → `user.name` (fixture: `tanium`) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `entity.target.id` | `entity.target.id` | `data_stream.dataset IN ("tanium.action_history", "tanium.endpoint_config", "tanium.threat_response")` | high | **preserve existing** |
+| `entity.target.id` | `tanium.action_history.action.id` | `data_stream.dataset == "tanium.action_history"` | high | **vendor fallback** — fixture: `6058` |
+| `entity.target.name` | `entity.target.name` | `data_stream.dataset == "tanium.action_history"` | high | **preserve existing** |
+| `entity.target.name` | `tanium.action_history.action.name` | `data_stream.dataset == "tanium.action_history"` | high | **vendor fallback** — same string as `event.action`, distinct role (Pass 3) |
+| `entity.target.type` | `entity.target.type` | `data_stream.dataset IN ("tanium.action_history", "tanium.endpoint_config")` | high | **preserve existing** |
+| `entity.target.type` | `"tanium-action"` | `data_stream.dataset == "tanium.action_history"` | high | **semantic literal** — action-definition target (Pass 3) |
+| `entity.target.type` | `tanium.endpoint_config.item.domain` | `data_stream.dataset == "tanium.endpoint_config"` | high | **vendor fallback** — e.g. `endpoint-config` |
+| `entity.target.sub_type` | `entity.target.sub_type` | `data_stream.dataset == "tanium.endpoint_config"` | high | **preserve existing** |
+| `entity.target.sub_type` | `tanium.endpoint_config.item.data_category` | `data_stream.dataset == "tanium.endpoint_config"` | high | **vendor fallback** — e.g. `tools` |
+| `entity.target.id` | `tanium.endpoint_config.item.id` | `data_stream.dataset == "tanium.endpoint_config"` | high | **vendor fallback** — fixture: `9` |
+| `host.target.name` | `host.target.name` | `data_stream.dataset == "tanium.threat_response"` | high | **preserve existing** |
+| `host.target.name` | `tanium.threat_response.state.target.hostname` | `data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.hostname IS NOT NULL` | high | **vendor fallback** — LiveConnection; fixture: `worker-2` |
+| `host.target.name` | `host.name` | `data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.state.target.hostname IS NULL` | medium | **de-facto** — affected endpoint on detection exports |
+| `entity.target.id` | `tanium.threat_response.state.target.eid` | `data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.eid IS NOT NULL` | high | **vendor fallback** — LiveConnection endpoint ID; fixture: `3` |
+| `host.target.ip` | `host.target.ip` | `data_stream.dataset == "tanium.threat_response"` | high | **preserve existing** |
+| `host.target.ip` | `source.ip` | `data_stream.dataset == "tanium.threat_response" AND source.ip IS NOT NULL` | medium | **de-facto** ← `Computer IP`; fixture: `81.2.69.192` on `detect.unmatch` |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | all audit streams | high | **preserve existing** — populated on `action_history`, `endpoint_config`, TR DB rows |
+| `event.action` | `tanium.threat_response.event.name` | `data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.table IS NULL` | high | **vendor fallback** — `detect.unmatch`, `detect.service.intel.*`; not mapped at ingest (Pass 2 enhancement) |
+
+### Detection flags (mandatory — run first)
+
+Standard `actor_exists` / `target_exists` / `action_exists`. **`user.id` omitted from actor `EVAL`** — ingest populates it on `endpoint_config` and TR DB rows (`table IS NOT NULL`); `actor_exists` preserves. **Only `user.name` has a query-time fallback** (`action_history` ← `tanium.action_history.issuer`). Detection/alert rows may have ingest `user.*` (endpoint session) preserved when `actor_exists`.
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "tanium.action_history", tanium.action_history.issuer,
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.table IS NULL, tanium.threat_response.event.name,
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "tanium.action_history", TO_STRING(tanium.action_history.action.id),
+    data_stream.dataset == "tanium.endpoint_config", TO_STRING(tanium.endpoint_config.item.id),
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.eid IS NOT NULL, tanium.threat_response.state.target.eid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "tanium.action_history", tanium.action_history.action.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "tanium.action_history", "tanium-action",
+    data_stream.dataset == "tanium.endpoint_config", tanium.endpoint_config.item.domain,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "tanium.endpoint_config", tanium.endpoint_config.item.data_category,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.hostname IS NOT NULL, tanium.threat_response.state.target.hostname,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.state.target.hostname IS NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "tanium.threat_response" AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "tanium.action_history", tanium.action_history.issuer,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.table IS NULL, tanium.threat_response.event.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "tanium.action_history", TO_STRING(tanium.action_history.action.id),
+    data_stream.dataset == "tanium.endpoint_config", TO_STRING(tanium.endpoint_config.item.id),
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.eid IS NOT NULL, tanium.threat_response.state.target.eid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "tanium.action_history", tanium.action_history.action.name,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "tanium.action_history", "tanium-action",
+    data_stream.dataset == "tanium.endpoint_config", tanium.endpoint_config.item.domain,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "tanium.endpoint_config", tanium.endpoint_config.item.data_category,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.state.target.hostname IS NOT NULL, tanium.threat_response.state.target.hostname,
+    data_stream.dataset == "tanium.threat_response" AND tanium.threat_response.event.name IS NOT NULL AND tanium.threat_response.state.target.hostname IS NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "tanium.threat_response" AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, entity.target.id, entity.target.name, entity.target.type, host.target.name, host.target.ip
+```
+
+### Streams excluded
+
+- **`tanium.client_status`** — Tanium client registration/leader state snapshot (`event.kind: state`); no actor or audit verb; `host.name`/`host.id` are inventory subject, not audit target.
+- **`tanium.discover`** — Asset discovery inventory sync; no per-event action or initiating principal.
+- **`tanium.reporting`** — Periodic hardware/OS inventory snapshot; no actor or meaningful per-event action.
+
+### Gaps and limitations
+
+- **`user.id` / TR DB `user.name`:** Ingest-only on `endpoint_config` and `threat_response` (TR DB rows) — omitted from actor `EVAL` (no alternate query-time source; tautology if `CASE(..., user.id, ..., user.id, null)`).
+- **`threat_response` detection exports:** Ingest `user.id`/`user.name` may hold endpoint session context (`detect.service.intel.*`) — preserved when `actor_exists`; no admin-actor fallback without `table` guard (Pass 3).
+- **`event.action` on alerts:** Intel/alert exports (`test-new-default.log-expected.json`) have no `event.action` and no `tanium.threat_response.event.name` — `tanium.threat_response.intel_name` / `other_parameters.name` omitted (low confidence).
+- **`endpoint_config` without `action`:** Third fixture has user but no `json.action` — `action_exists` false; no config-audit verb fallback.
+- **File/process targets in `match_details`:** Vendor `relevant_actions[].target.file.*` requires nested array extraction — omitted.
+- **`tanium.action_history.approver`:** Unmapped admin identity — vendor-only.
+- **Action history endpoint scope:** Connect export does not name targeted computer IDs/groups.
+- **`host.name` overload on `threat_response`:** Prefer `tanium.threat_response.state.target.hostname` when present (LiveConnection).
+- **Inventory streams:** Do not promote `host.name` to `host.target.*` without audit semantics.
+- **Pass 2 alignment** — ingest-time `*.target.*` and `event.action` ← `Event Name` remain preferred; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 CASE syntax** — actor/action/target `EVAL` blocks use column-level `CASE(<col> IS NOT NULL, <col>, …, null)` (valid **5-arg** / **7-arg**); detection flags remain query-time helpers only. Pipeline fragment aligned with combined blocks; no **4-arg** `CASE(col IS NOT NULL, col, bare_field, null)` or `CASE(actor_exists/target_exists, col, …)` on mapped columns.
diff --git a/dev/domain/p1/ti_misp.md b/dev/domain/p1/ti_misp.md
new file mode 100644
index 00000000000..ef0aa13aeee
--- /dev/null
+++ b/dev/domain/p1/ti_misp.md
@@ -0,0 +1,535 @@
+# ti_misp
+
+## Product Domain
+
+MISP (Malware Information Sharing Platform, now the Open Source Threat Intelligence and Sharing Platform) is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured cyber threat information. Organizations use MISP to centralize indicators of compromise (IOCs), malware analysis, incident context, and related threat data in a standardized format, making intelligence reusable across security tools and trusted communities.
+
+Threat intelligence sharing is a core MISP capability. The platform supports granular distribution models and sharing groups so organizations can exchange events and attributes with partners, sector communities, and federated MISP instances while respecting confidentiality policies. Built-in correlation links related indicators, campaigns, and events; decaying models track indicator freshness over time; and a REST automation API enables integration with SIEMs, IDS/IPS, firewalls, and other defensive systems.
+
+Key capabilities include structured event and attribute management (IPs, domains, file hashes, URLs, and richer object templates), automated synchronization between instances, enrichment and workflow automation, and export to machine-readable formats for detection and blocking. Common use cases include aggregating OSINT and commercial feeds into a single hub, collaborative incident analysis across CSIRTs and ISACs, operationalizing IOCs for indicator-matching and threat hunting, and pushing actionable intelligence to downstream security controls.
+
+## Data Collected (brief)
+
+The integration uses the MISP REST API to poll threat intelligence indicators from a running MISP instance via Elastic Agent. It collects two data streams: **Threat** (event-level indicators with event, attribute, object, and organization context) and **Threat Attributes** (granular attribute data from `/attributes/restSearch`, including decay scores and IOC expiration metadata), with configurable polling intervals, filters, and support for active-only indicator indices via Elastic transforms.
+
+## Expected Audit Log Entities
+
+This integration does **not** collect MISP audit or user-activity logs. MISP exposes separate audit APIs for console/API actions (logins, event edits, attribute changes); neither stream polls those endpoints. Both streams are threat-intelligence enrichment (`event.kind: enrichment`, `event.category: threat`, `event.type: indicator`) and are treated below as **audit-adjacent** sources where actor/target semantics still help entity analytics.
+
+No ECS `*.target.*` fields are populated (`target_enhancement_packages.csv`: `ti_misp,none`). No `destination.user.*` or `destination.host.*` in pipelines (`destination_identity_hits.csv`: not listed). Targets here are **IOC observables** (what an indicator describes), not entities acted upon in an audit event.
+
+**`event.action` is absent** on both streams — not present in `sample_event.json`, any `*-expected.json`, or either ingest pipeline. Pipelines statically set `event.kind`, `event.category`, and `event.type` only (`threat/default.yml` L10–18; `threat_attributes/default.yml` L10–18). These are enrichment snapshots of published MISP attributes, not per-operation audit verbs.
+
+### Event action (semantic)
+
+Neither stream records a meaningful per-event operation verb. Documents represent **polled IOC attribute state** from MISP REST APIs (`/events/restSearch` on **threat**, `/attributes/restSearch` on **threat_attributes**), not user or API actions at ingest time. There is no login, create, update, or delete action indexed on each document.
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| *(no per-event action)* | — | high | `event.action` absent from all fixtures and pipelines; no vendor `action` / `operation` / `event_type` field in MISP poll payloads | Both streams — enrichment indicator documents, not audit events |
+| Threat indicator enrichment (ECS taxonomy) | data_access | high | Static pipeline sets: `event.kind: enrichment`, `event.category: [threat]`, `event.type: [indicator]` | Describes ECS event class, **not** a mapped `event.action` value |
+
+Do not substitute `event.type: indicator` or `event.category: threat` for `event.action` — they classify the ECS event, not the verb performed.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` | no | n/a | — | no | Not set in pipelines or fixtures |
+| `event.type` | no (taxonomy, not action) | n/a | `indicator` | no | Static `set: [indicator]` both pipelines L16–18; ECS event type, not operation verb |
+| `event.category` | no (taxonomy, not action) | n/a | `threat` | no | Static `set: [threat]` both pipelines L13–15 |
+| `misp.attribute.type` | no | n/a | e.g. `md5`, `ip-dst`, `domain`, `sha256` | no | MISP IOC observable type → `threat.indicator.type`; describes indicator shape, not user/API action (`threat/sample_event.json`: `sha256`; `threat/.../test-misp-sample-ndjson.log-expected.json`: `md5`, `domain\|ip`) |
+| `misp.attribute.category` | no | n/a | e.g. `Payload delivery`, `Network activity`, `External analysis` | no | MISP attribute taxonomy in fixtures; context label, not an action verb |
+| `misp.event.published` | no | n/a | — | no | Boolean publish state on parent event (e.g. `published: true` in threat expected fixtures); state metadata, not indexed action |
+
+No vendor field in polled MISP JSON names a console/API operation suitable for `event.action`. True MISP audit actions (e.g. `login`, `edit`, `publish`) live on the separate MISP audit API, which this integration does not ingest.
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| MISP event creator | user | — | medium | `misp.event.event_creator_email` → `user.email`; `user.roles: ["reporting_user"]` appended when email is set (both pipelines). `threat/sample_event.json`: `admin@admin.test`; `threat_attributes/.../test-misp-sample-ndjson.log-expected.json`: `user@example.com` | Present only when source event includes `event_creator_email`; absent in most OSINT fixtures (CIRCL, ESET, CUDESO) |
+| Creating / publishing organization | general | organization | high | **threat**: full `misp.orgc.id`, `misp.orgc.name`, `misp.orgc.uuid`, `misp.orgc.local` retained (e.g. `"CIRCL"`, `"ESET"`, `"CUDESO"` in `threat/.../test-misp-sample-ndjson.log-expected.json`). **threat_attributes**: `misp.event.orgc_id` only; no `misp.orgc.name` in fixtures | **threat** has richer org creator context; **threat_attributes** reduces to org IDs |
+| External intel feed source (via provider) | general | organization | medium | Pipeline intent: `threat.indicator.provider` ← `misp.event.Orgc.name` when `Orgc.local == 'false'` (**threat** stream only). **threat_attributes** statically sets `provider: misp` | External org name mapping is broken in **threat** fixtures (see Gaps); **threat_attributes** never sets external provider name |
+
+Most OSINT-sourced documents have **no ECS `user.*` actor**; the creating organization under `misp.orgc.*` (or `misp.event.orgc_id`) is the primary actor proxy.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.email` | Event creator (reporting user) | yes (when `event_creator_email` present) | yes | high | `rename: misp.event.event_creator_email → user.email` in both pipelines; fixtures above |
+| `user.roles` | Creator role hint | yes (when email set) | partial | medium | Static append `"reporting_user"` — descriptive, not from MISP role API |
+| `misp.orgc.id` / `.name` / `.uuid` / `.local` | Creating organization | yes (**threat** only) | yes | high | `rename: misp.event.Orgc → misp.orgc`; CIRCL/ESET/CUDESO in threat expected fixtures |
+| `misp.event.orgc_id` | Creating org ID | yes | yes | high | Retained on both streams; sole org actor field on **threat_attributes** |
+| `organization.id` | Hosting MISP instance org | yes (**threat_attributes** only) | n/a | high | `rename: misp.event.org_id → organization.id`; `sample_event.json` / expected fixtures — scope context, not event creator |
+| `threat.indicator.provider` | External feed / publishing org name | yes | no | medium | **threat** pipeline sets from `Orgc.name` when `Orgc.local == 'false'`, but condition compares to string `'false'` while fixtures have boolean `local: false` — CIRCL/ESET events still show `provider: "misp"`. **threat_attributes** always `misp` |
+| `threat.feed.name` | Feed platform label | yes (static) | n/a | high | `set: "MISP"` — identifies feed, not a human actor |
+| Tag `user_id` (raw JSON) | Tag author | no | n/a | low | Present in raw `Tag[].user_id` (e.g. `"0"`) but stripped with `misp.tag` removal; not mapped to `user.id` |
+
+### Target (semantic)
+
+Each document is one MISP attribute (IOC), not an audited object change. Targets are **indicator observables** layered as follows:
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / feed | Threat intel platform and feed identity | MISP / MISP feed | service | — | high | `threat.feed.name: "MISP"` (static, both pipelines); dashboards use `threat.indicator.provider` for feed breakdown | Layer 1 is the TI platform, not a cloud API target |
+| 2 — Event / case context | Parent MISP event the IOC belongs to | MISP event | general | threat_event | high | `misp.event.id`, `misp.event.info`, `misp.event.uuid`, `misp.event.threat_level_id` in fixtures (e.g. `"OSINT - New Arena Crysis Ransomware Variant Released"`, Nitro APT event) | Same event metadata on both streams; **threat_attributes** adds decay fields on attributes |
+| 3 — IOC observable | The attribute value acted upon for detection | varies by `misp.attribute.type` | host / user / service / general | file_artifact, registry_key, autonomous_system, untyped_text, … | high (typed IOCs); medium (unmapped types) | Pipeline maps `misp.attribute.type` → `threat.indicator.*`; examples below | **threat** prefers `misp.object.attribute` over outer attribute when object exists (`sample_event.json` sha256 from file object) |
+
+Layer 3 examples from fixtures:
+
+| `misp.attribute.type` | Classification | ECS / vendor evidence |
+| --- | --- | --- |
+| `ip-src`, `ip-dst`, `ip-dst\|port`, `domain\|ip` | host | `threat.indicator.ip` (e.g. `89.160.20.156`, `89.160.20.156\|2222`); `threat.indicator.url.domain` + `threat.indicator.ip` for `domain\|ip` |
+| `hostname`, `domain` | host | `threat.indicator.url.domain` (e.g. `xenserver.ddns.net`) |
+| `email-src`, `email-dst` | user | `threat.indicator.email.address` (e.g. `claudiobonadio88@gmail.com`, `lisa.cuddy@wind0ws.kz`) — IOC email, not audit principal |
+| `url`, `link`, `uri` | service | `threat.indicator.url.*` (e.g. `http://get.adobe.com/stats/...`, VirusTotal reference links) |
+| `md5`, `sha256`, `sha1`, `filename\|sha256` | general | file_artifact | `threat.indicator.file.hash.*`, `threat.indicator.file.name` (e.g. Dharma md5, Nitro sha256, `google_update_checker.js`) |
+| `regkey` | general | registry_key | `threat.indicator.registry.key` (e.g. `HKLM\SOFTWARE\Microsoft\Active`) |
+| `AS` | general | autonomous_system | `threat.indicator.as.number` (e.g. `48031` in **threat_attributes** fixture) |
+| `email-subject` | general | email_subject | `threat.indicator.email.subject` (e.g. `"Subject Payment"` — **threat_attributes** only) |
+| `text`, `comment` | general | untyped_indicator | `misp.attribute.value` retained when type not mapped (e.g. `"Nitro"` text attribute) |
+| `mutex`, `mime-type`, `cpe` | general | mutex / mime / software | Type set on **threat_attributes** pipeline only; value often remains vendor-only |
+
+`ip-src` vs `ip-dst` direction is **not preserved** — both map to `threat.indicator.ip`.
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `threat.feed.name` | 1 | service | yes | n/a | context-only | no | Static `"MISP"`; feed identity, not `service.target.*` |
+| `threat.indicator.provider` | 1 | general (organization) | yes | no | context-only | no | Intended external org name; broken boolean/string check on **threat**; static `misp` on **threat_attributes** |
+| `misp.event.id` / `.info` / `.uuid` | 2 | general | yes | yes | context-only | no | Event case context in all fixtures |
+| `misp.object.name` / `.meta_category` | 2 | general | yes (**threat** when object present) | yes | context-only | no | File object context in `threat/sample_event.json` |
+| `threat.indicator.ip` | 3 | host | yes | partial | context-only | no | IOC IP/host observable; `ip-src`/`ip-dst` direction lost |
+| `threat.indicator.url.domain` | 3 | host | yes | yes | context-only | no | Domain/hostname IOCs |
+| `threat.indicator.port` | 3 | host | yes | yes | context-only | no | From `ip-*\|port` grok (e.g. port `2222`) |
+| `threat.indicator.email.address` | 3 | user | yes | partial | context-only | no | Email IOC value — threat observable, not audit `user.target.*` |
+| `threat.indicator.email.subject` | 3 | general | yes (**threat_attributes**) | yes | context-only | no | `email-subject` type |
+| `threat.indicator.url.full` / `.original` | 3 | service | yes | yes | context-only | no | URL/link/uri IOCs; defanged URL kept as-is (`hxxp://bad[.]example[.]com/...`) |
+| `threat.indicator.file.hash.*` / `.file.name` | 3 | general | yes | yes | context-only | no | Hash and filename IOCs |
+| `threat.indicator.registry.key` | 3 | general | yes | yes | context-only | no | `regkey` attributes |
+| `threat.indicator.as.number` | 3 | general | yes | yes | context-only | no | AS attributes |
+| `threat.indicator.mac` | 3 | host | yes (when type present) | yes | context-only | no | `mac-address` / `mac-eui-64` pipeline branches |
+| `threat.indicator.type` | 3 | — | yes | yes | context-only | no | ECS indicator type enum from MISP attribute type |
+| `misp.attribute.type` / `.uuid` / `.category` | 3 | — | yes | yes | context-only | no | Canonical vendor IOC metadata retained after value removal |
+| `misp.attribute.value` | 3 | varies | partial | yes | context-only | no | Removed when `threat.indicator.type` is set; retained for unmapped types (`text`, `comment`) |
+| `misp.context.attribute.*` | 3 | — | yes (**threat** with objects) | yes | context-only | no | Outer attribute kept as context when object attribute is primary |
+| `destination.user.*` / `destination.host.*` | — | — | no | n/a | n/a | no | Not used |
+| `user.target.*` / `host.target.*` / `service.target.*` | — | — | no | n/a | n/a | no | Not applicable for TI enrichment; audit CSV confirms `none` |
+
+### Gaps and mapping notes
+
+- **No true audit stream** — actor/target tables describe TI enrichment semantics only. MISP audit API (user logins, event edits) is out of scope for this package.
+- **`event.action` gap** — no pipeline mapping and no vendor operation field in polled payloads. `misp.attribute.type` (IOC type) and `event.type: indicator` are **not** suitable substitutes for `event.action`; mapping them would conflate observable classification with audit verbs. No enhancement recommended unless a future stream ingests MISP audit logs.
+- **`threat.indicator.provider` bug** — **threat** pipeline checks `misp.event.Orgc.local == 'false'` (string) before rename; JSON fixtures use boolean `false`, so external org names (`CIRCL`, `ESET`) never replace `"misp"` in expected output despite `misp.orgc.local: false` and `misp.orgc.name` being present. **threat_attributes** has no external-provider logic at all.
+- **Actor org vs hosting org** — `misp.orgc.*` (creator) vs `organization.id` / `misp.event.org_id` (instance host on **threat_attributes**) are distinct; only creator org belongs in actor analysis. **threat** pipeline removes `misp.org` (hosting org) during cleanup.
+- **Tag `user_id` unmapped** — MISP tag author IDs are discarded with tag cleanup; no `user.id` or `related.user` enrichment.
+- **IOC email ≠ audit user target** — `email-src`/`email-dst` map to `threat.indicator.email.address` (threat observable). These are not de-facto `destination.user.*` targets and should not migrate to `user.target.*`.
+- **Direction loss on IP attributes** — `ip-src` and `ip-dst` both become `threat.indicator.ip` with no `source.*`/`destination.*` split; MISP directional semantics live only in `misp.attribute.type`.
+- **Unmapped attribute types** — `text`, `comment`, and some `email-message` types keep value under `misp.attribute.*` only; no ECS threat indicator fields.
+- **Stream differences** — **threat_attributes** adds decay metadata (`misp.attribute.decayed`, `decay_score`, `decayed_at`), `organization.id`, `email-subject`, defanged URL handling, and extra types (`mutex`, `mime-type`, `cpe`); lacks full `misp.orgc.*` on polled attribute payloads.
+- **target-fields-audit alignment** — CSV row `ti_misp,none,false,...` matches: no ECS `*.target.*` population and no enhancement path for standard audit target buckets on IOC enrichment data.
+
+### Per-stream notes
+
+**threat (`ti_misp.threat`)** — Polls event-centric API responses from `/events/restSearch`. One document per attribute (object attribute preferred over standalone attribute when `misp.object` exists). Richest actor context via `misp.orgc.*` and optional `user.email`. No `event.action`; static ECS taxonomy only. Galaxy/tag metadata flattened to `tags` and `threat.indicator.marking.tlp`.
+
+**threat_attributes (`ti_misp.threat_attributes`)** — Polls `/attributes/restSearch` for granular attributes with decay/expiration lifecycle. Maps hosting org to `organization.id`. Supports active-IOC transform source labeling (`labels.is_ioc_transform_source`). Same IOC type → ECS mapping as **threat**, plus `email-subject` and defanged URL samples not present in **threat** fixtures. No `event.action`; decay scripts compute `misp.attribute.decayed` / `decayed_at` but do not index lifecycle verbs.
+
+## Example Event Graph
+
+These examples come from the **threat** and **threat_attributes** streams. Neither stream ingests MISP audit logs; documents are polled IOC enrichment snapshots (`event.kind: enrichment`, `event.type: indicator`). There is no indexed `event.action` — the action label below describes the ECS event class, not a console/API verb.
+
+### Example 1: File hash IOC from object attribute
+
+**Stream:** `ti_misp.threat` · **Fixture:** `packages/ti_misp/data_stream/threat/sample_event.json`
+
+```
+Actor (user, admin@admin.test) → indicator enrichment → Target (file hash sha256)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | admin@admin.test |
+| name | admin@admin.test |
+| type | user |
+| sub_type | reporting_user |
+
+**Field sources:**
+
+- `id ← user.email` (renamed from `misp.event.event_creator_email`)
+- `name ← user.email`
+- `sub_type ← user.roles[0]` (static append `"reporting_user"` when email is set)
+
+Creating organization **ORGNAME** (`misp.orgc.id: 1`, `misp.orgc.uuid: 78acad2d-cc2d-4785-94d6-b428a0070488`) is also present as a secondary actor proxy.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | indicator enrichment |
+| source_field | `event.kind` |
+| source_value | `enrichment` |
+
+**Not mapped to ECS `event.action` today** — `event.action` is absent from fixtures and pipelines; `event.kind` classifies the document as enrichment, not an audit operation verb.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee |
+| type | general |
+| sub_type | file_artifact |
+
+**Field sources:**
+
+- `id ← threat.indicator.file.hash.sha256` (from object attribute `misp.attribute.type: sha256`, preferred over outer `filename` attribute)
+- Parent event context: `misp.event.info` = `"Test event 3 objects and attributes"`, `misp.object.name` = `"file"`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: admin@admin.test"] --> E["indicator enrichment"]
+  E --> T["Target: sha256 file IOC"]
+```
+
+### Example 2: OSINT domain|ip network indicator
+
+**Stream:** `ti_misp.threat` · **Fixture:** `packages/ti_misp/data_stream/threat/_dev/test/pipeline/test-misp-sample-ndjson.log-expected.json` (second expected event)
+
+```
+Actor (organization, CIRCL) → indicator enrichment → Target (host, your-ip.getmyip.com / 89.160.20.156)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 55f6ea5e-2c60-40e5-964f-47a8950d210f |
+| name | CIRCL |
+| type | general |
+| sub_type | organization |
+
+**Field sources:**
+
+- `id ← misp.orgc.uuid`
+- `name ← misp.orgc.name`
+- `sub_type` inferred from creating-org semantics (`misp.orgc.local: false` — external publishing org)
+
+No `user.email` on this OSINT event; creating organization is the primary actor.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | indicator enrichment |
+| source_field | `event.kind` |
+| source_value | `enrichment` |
+
+**Not mapped to ECS `event.action` today.**
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 5bf30242-8ef4-4c52-a2d7-0b7b0a016219 |
+| name | your-ip.getmyip.com |
+| type | host |
+| ip | 89.160.20.156 |
+
+**Field sources:**
+
+- `id ← misp.attribute.uuid`
+- `name ← threat.indicator.url.domain` (from `misp.attribute.type: domain|ip`)
+- `ip ← threat.indicator.ip`
+- Event case context: `misp.event.info` = `"OSINT - New Arena Crysis Ransomware Variant Released"`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: CIRCL"] --> E["indicator enrichment"]
+  E --> T["Target: your-ip.getmyip.com"]
+```
+
+### Example 3: Decayed URL reference link (attributes stream)
+
+**Stream:** `ti_misp.threat_attributes` · **Fixture:** `packages/ti_misp/data_stream/threat_attributes/sample_event.json`
+
+```
+Actor (organization, orgc_id 2) → indicator enrichment → Target (service, labs.opendns.com URL)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 2 |
+| type | general |
+| sub_type | organization |
+
+**Field sources:**
+
+- `id ← misp.event.orgc_id` (sole org creator field on **threat_attributes** — no `misp.orgc.name` in this fixture)
+- Hosting MISP instance org: `organization.id: 1` (scope context, not the publishing actor)
+
+No `user.email` on this fixture.
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | indicator enrichment |
+| source_field | `event.kind` |
+| source_value | `enrichment` |
+
+**Not mapped to ECS `event.action` today.** Decay state (`misp.attribute.decayed: true`, `decayed_at: 2014-10-08T07:14:05.000Z`) is lifecycle metadata, not an indexed action verb.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | 542e4cbd-ee78-4a57-bfb8-1fda950d210b |
+| name | labs.opendns.com |
+| type | service |
+
+**Field sources:**
+
+- `id ← misp.attribute.uuid`
+- `name ← threat.indicator.url.domain`
+- Full URL: `threat.indicator.url.full` = `http://labs.opendns.com/2014/10/02/opendns-and-bash/`
+- Event case context: `misp.event.info` = `"OSINT ShellShock scanning IPs from OpenDNS"`
+
+#### Mermaid
+
+```mermaid
+flowchart LR
+  A["Actor: orgc_id 2"] --> E["indicator enrichment"]
+  E --> T["Target: labs.opendns.com"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (`policy_templates`, two `data_stream/` directories with Tier A fixtures and ingest pipelines). Router: **`data_stream.dataset`** (`ti_misp.threat`, `ti_misp.threat_attributes` per `sample_event.json` and dashboards). Secondary discriminator: **`misp.attribute.type`** for IOC target classification. Neither stream ingests MISP audit logs — documents are polled threat-indicator enrichment (`event.kind: enrichment`, `event.type: indicator`), not per-operation audit events. Pass 4 is **fill-gaps-only**: detection flags (`actor_exists`, `target_exists`, `action_exists`) run first for query semantics; **mapped columns use column-level preserve** (`<col> IS NOT NULL`), not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — e.g. `entity.id` from org fallback must not block `user.id` from `user.email` when the creator email is set (Pass 4 §10). No ECS `*.target.*` at ingest today (`target-fields-audit`: `ti_misp,none`). **`event.action` is absent** on both streams — no event-action `EVAL` block. **`user.email` omitted** from actor `EVAL` (ingest-only; pipeline rename only).
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `ti_misp.threat` | threat enrichment (events API) | user, general (organization) | host, user, service, general (IOC) | partial |
+| `ti_misp.threat_attributes` | threat enrichment (attributes API) | general (organization) | host, user, service, general (IOC) | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.id` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `user.id` | `user.email` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL` | high | **vendor fallback** — creator email as id when `user.id` empty |
+| `user.name` | `user.name` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `user.name` | `user.email` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL` | high | **vendor fallback** — no separate name at ingest |
+| `user.email` | `misp.event.event_creator_email` → `user.email` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **ingest-only — no ES\|QL** — pipeline rename only; vendor field removed at ingest; **omit** — `CASE(…, user.email, …, user.email, null)` is identity no-op |
+| `entity.id` | `entity.id` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `entity.id` | `misp.orgc.uuid` | `data_stream.dataset == "ti_misp.threat" AND user.email IS NULL` | high | **vendor fallback** — creating org (OSINT fixtures: CIRCL/ESET) |
+| `entity.id` | `misp.event.orgc_id` | `data_stream.dataset == "ti_misp.threat_attributes" AND user.email IS NULL` | high | **vendor fallback** — sole org creator field on attributes stream |
+| `entity.name` | `entity.name` | `data_stream.dataset == "ti_misp.threat"` | high | **preserve existing** |
+| `entity.name` | `misp.orgc.name` | `data_stream.dataset == "ti_misp.threat" AND user.email IS NULL` | high | **vendor fallback** |
+| `entity.type` | `entity.type` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `entity.type` | `"organization"` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NULL` | medium | **semantic literal** — publishing org when no `user.email` |
+| `entity.sub_type` | `"reporting_user"` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL` | medium | **semantic literal** — aligns with ingest `user.roles` |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `service.target.name` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `service.target.name` | `threat.feed.name` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **vendor fallback** — static `"MISP"` (Layer 1 platform) |
+| `service.target.name` | `threat.indicator.url.domain` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri")` | high | **vendor fallback** — URL IOC endpoint (Pass 3 example 3) |
+| `host.target.ip` | `host.target.ip` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `host.target.ip` | `threat.indicator.ip` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst\|port", "domain\|ip")` | high | **vendor fallback** — `ip-src`/`ip-dst` direction not preserved |
+| `host.target.name` | `host.target.name` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `host.target.name` | `threat.indicator.url.domain` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("domain", "hostname", "domain\|ip")` | high | **vendor fallback** |
+| `host.target.port` | `threat.indicator.port` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "ip-dst\|port"` | high | **vendor fallback** — fixture port `2222` |
+| `user.target.email` | `user.target.email` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `user.target.email` | `threat.indicator.email.address` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst")` | high | **vendor fallback** — IOC email observable, not audit principal |
+| `entity.target.id` | `entity.target.id` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **preserve existing** |
+| `entity.target.id` | `threat.indicator.file.hash.sha256` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "sha256"` | high | **vendor fallback** |
+| `entity.target.id` | `threat.indicator.file.hash.md5` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "md5"` | high | **vendor fallback** |
+| `entity.target.id` | `threat.indicator.file.hash.sha1` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("sha1", "filename\|sha1")` | high | **vendor fallback** |
+| `entity.target.id` | `misp.attribute.uuid` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes")` | high | **vendor fallback** — default IOC id (Pass 3 `domain\|ip`, `link`) |
+| `entity.target.name` | `threat.indicator.registry.key` | `data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "regkey"` | high | **vendor fallback** |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| — | — | — | — | `event.action` absent; do not map `event.type` / `misp.attribute.type` as verbs (Pass 2) |
+
+### Detection flags (mandatory — run first)
+
+**Tuned predicate:** `actor_exists` **excludes `user.email`** — ingest maps `misp.event.event_creator_email` → `user.email` only (no `user.id` / `user.name`), so creator promotion must run when those columns are empty. `target_exists` uses standard `*.target.*` columns (unpopulated at ingest today). **Actor/target `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so one populated sibling column does not block fallbacks on empty columns (Pass 4 §10).
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers only. Mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, …)` — not `CASE(actor_exists, user.id, user.email, null)` (4 args — `user.email` is a **condition**, not a value) or `CASE(actor_exists, user.id, …)` when `entity.id` alone satisfies the flag.
+
+### Combined ES|QL — actor fields
+
+**ES|QL `CASE` arity:** Arguments are **(condition, value)** pairs; odd count → last arg is default. Use **5-arg** `CASE(user.id IS NOT NULL, user.id, data_stream.dataset IN (…) AND user.email IS NOT NULL, user.email, null)` — not **4-arg** `CASE(actor_exists, user.id, user.email, null)` or `CASE(user.id IS NOT NULL, user.id, user.email, null)` (3rd arg `user.email` is a **condition**, not a value).
+
+Omitted from actor `EVAL` (ingest-only — no alternate query-time source): `user.email` (`misp.event.event_creator_email` renamed at ingest; no `CASE(…, user.email, …, user.email, null)`).
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, user.email,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, user.email,
+    null
+  ),
+  entity.id = CASE(
+    entity.id IS NOT NULL, entity.id,
+    data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.uuid IS NOT NULL, misp.orgc.uuid,
+    data_stream.dataset == "ti_misp.threat_attributes" AND user.email IS NULL AND misp.event.orgc_id IS NOT NULL, TO_STRING(misp.event.orgc_id),
+    null
+  ),
+  entity.name = CASE(
+    entity.name IS NOT NULL, entity.name,
+    data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.name IS NOT NULL, misp.orgc.name,
+    null
+  ),
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, "user",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NULL, "organization",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, "reporting_user",
+    null
+  )
+```
+
+### Combined ES|QL — event action
+
+Not produced — `event.action` is absent from fixtures and pipelines on both streams; `event.type: indicator` and `misp.attribute.type` classify IOC shape, not audit verbs (Pass 2).
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri") AND threat.indicator.url.domain IS NOT NULL, threat.indicator.url.domain,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND threat.feed.name IS NOT NULL, threat.feed.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst|port", "domain|ip") AND threat.indicator.ip IS NOT NULL, threat.indicator.ip,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("domain", "hostname", "domain|ip") AND threat.indicator.url.domain IS NOT NULL, threat.indicator.url.domain,
+    null
+  ),
+  host.target.port = CASE(
+    host.target.port IS NOT NULL, host.target.port,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "ip-dst|port" AND threat.indicator.port IS NOT NULL, threat.indicator.port,
+    null
+  ),
+  user.target.email = CASE(
+    user.target.email IS NOT NULL, user.target.email,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst") AND threat.indicator.email.address IS NOT NULL, threat.indicator.email.address,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "sha256" AND threat.indicator.file.hash.sha256 IS NOT NULL, threat.indicator.file.hash.sha256,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "md5" AND threat.indicator.file.hash.md5 IS NOT NULL, threat.indicator.file.hash.md5,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("sha1", "filename|sha1") AND threat.indicator.file.hash.sha1 IS NOT NULL, threat.indicator.file.hash.sha1,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.uuid IS NOT NULL, misp.attribute.uuid,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "regkey" AND threat.indicator.registry.key IS NOT NULL, threat.indicator.registry.key,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst|port", "domain|ip", "hostname", "domain"), "host",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst"), "user",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri"), "service",
+    data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("md5", "sha256", "sha1", "filename|sha256", "filename|sha1", "regkey"), "general",
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(user.id IS NOT NULL, user.id, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, user.email, null),
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, user.email, null),
+  entity.id = CASE(entity.id IS NOT NULL, entity.id, data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.uuid IS NOT NULL, misp.orgc.uuid, data_stream.dataset == "ti_misp.threat_attributes" AND user.email IS NULL AND misp.event.orgc_id IS NOT NULL, TO_STRING(misp.event.orgc_id), null),
+  entity.name = CASE(entity.name IS NOT NULL, entity.name, data_stream.dataset == "ti_misp.threat" AND user.email IS NULL AND misp.orgc.name IS NOT NULL, misp.orgc.name, null),
+  entity.type = CASE(entity.type IS NOT NULL, entity.type, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, "user", data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NULL, "organization", null),
+  entity.sub_type = CASE(entity.sub_type IS NOT NULL, entity.sub_type, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND user.email IS NOT NULL, "reporting_user", null)
+| EVAL
+  service.target.name = CASE(service.target.name IS NOT NULL, service.target.name, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri") AND threat.indicator.url.domain IS NOT NULL, threat.indicator.url.domain, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND threat.feed.name IS NOT NULL, threat.feed.name, null),
+  host.target.ip = CASE(host.target.ip IS NOT NULL, host.target.ip, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst|port", "domain|ip") AND threat.indicator.ip IS NOT NULL, threat.indicator.ip, null),
+  host.target.name = CASE(host.target.name IS NOT NULL, host.target.name, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("domain", "hostname", "domain|ip") AND threat.indicator.url.domain IS NOT NULL, threat.indicator.url.domain, null),
+  host.target.port = CASE(host.target.port IS NOT NULL, host.target.port, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "ip-dst|port" AND threat.indicator.port IS NOT NULL, threat.indicator.port, null),
+  user.target.email = CASE(user.target.email IS NOT NULL, user.target.email, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst") AND threat.indicator.email.address IS NOT NULL, threat.indicator.email.address, null),
+  entity.target.id = CASE(entity.target.id IS NOT NULL, entity.target.id, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "sha256" AND threat.indicator.file.hash.sha256 IS NOT NULL, threat.indicator.file.hash.sha256, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "md5" AND threat.indicator.file.hash.md5 IS NOT NULL, threat.indicator.file.hash.md5, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("sha1", "filename|sha1") AND threat.indicator.file.hash.sha1 IS NOT NULL, threat.indicator.file.hash.sha1, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.uuid IS NOT NULL, misp.attribute.uuid, null),
+  entity.target.name = CASE(entity.target.name IS NOT NULL, entity.target.name, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type == "regkey" AND threat.indicator.registry.key IS NOT NULL, threat.indicator.registry.key, null),
+  entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("ip-src", "ip-dst", "ip-dst|port", "domain|ip", "hostname", "domain"), "host", data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("email-src", "email-dst"), "user", data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("url", "link", "uri"), "service", data_stream.dataset IN ("ti_misp.threat", "ti_misp.threat_attributes") AND misp.attribute.type IN ("md5", "sha256", "sha1", "filename|sha256", "filename|sha1", "regkey"), "general", null)
+| KEEP @timestamp, data_stream.dataset, misp.attribute.type, user.email, user.id, entity.id, entity.name, entity.type, host.target.ip, host.target.name, entity.target.id, service.target.name
+```
+
+### Streams excluded
+
+*(none — both streams use partial TI enrichment extraction above)*
+
+### Gaps and limitations
+
+- **No MISP audit API** — console logins and event edits are out of scope; no `event.action` block.
+- **`threat.indicator.provider` bug** — external org names may not replace `"misp"` due to boolean/string comparison; do not use as actor source until fixed.
+- **`organization.id`** on **threat_attributes** — hosting instance org, not publishing actor; excluded from actor mapping.
+- **Unmapped attribute types** (`text`, `comment`, `mutex`, `mime-type`, `cpe`) — value under `misp.attribute.*` only; typed target columns omitted.
+- **IOC email ≠ audit user target** — `user.target.email` is threat-observable semantics (Pass 2/3), not IAM acted-upon user.
+- **`ip-src` / `ip-dst` direction** — both map to `threat.indicator.ip`; ES|QL cannot restore MISP directional semantics.
+- **Pass 2 alignment** — ingest-time `*.target.*` promotion from `threat.indicator.*` remains preferred; Pass 4 fills gaps without overwriting populated values.
+- **Pass 4 tautology cleanup (§10)** — `user.email` omitted from actor `EVAL` (ingest-only; pipeline rename, no query-time vendor path); `user.id` / `user.name` fallbacks use `user.email` only when those columns are empty; no `CASE(col, col, …)` identity branches on mapped columns.
+- **Pass 4 CASE syntax** — all `CASE` in actor/target blocks use column-level **5-arg** / **7-arg** / **9-arg** preserve (`<col> IS NOT NULL`, not `CASE(actor_exists, <col>, …)` or `CASE(target_exists, <col>, …)`). Never **4-arg** `CASE(actor_exists, col, bare_field, null)` or `CASE(col IS NOT NULL, col, bare_field, null)` (bare field parses as a **condition**). Full pipeline fragment aligned with combined `EVAL` blocks. Detection flags are helpers only.
diff --git a/dev/domain/p1/wiz.md b/dev/domain/p1/wiz.md
new file mode 100644
index 00000000000..f85419ec770
--- /dev/null
+++ b/dev/domain/p1/wiz.md
@@ -0,0 +1,628 @@
+# wiz
+
+## Product Domain
+
+Wiz is a cloud-native application protection platform (CNAPP) that provides unified cloud security across multi-cloud and Kubernetes environments. Rather than treating misconfigurations, vulnerabilities, identities, secrets, network exposure, and runtime threats as separate silos, Wiz builds a security graph that correlates these risk factors to produce a prioritized view of what matters most in the cloud estate. The platform supports AWS, Azure, GCP, and Kubernetes workloads, and is widely used for cloud security posture management (CSPM), cloud workload protection (CWPP), and cloud detection and response (CDR).
+
+Core capabilities span several domains. **Cloud Security Posture Management (CSPM)** evaluates cloud resources against configuration rules and compliance frameworks, surfacing misconfigurations with remediation guidance. **Cloud Vulnerability Management (CNVM)** identifies package- and image-level CVEs on VMs, containers, and serverless assets, enriched with CVSS, EPSS, exploitability, and exposure context. **Issues** represent active, prioritized risks in the environment—aggregating findings from controls, runtime detections, and graph-based analysis into trackable work items with severity, status, and project scope. **Wiz Defend** provides runtime threat detection using Wiz Sensor telemetry, cloud activity, and the security graph to alert on techniques such as defense evasion, privilege escalation, and C2 activity, mapped to MITRE ATT&CK. **Audit logs** record platform activity including logins and mutation API calls within the Wiz portal.
+
+From a security operations perspective, Wiz is a primary source of cloud risk and threat intelligence. Teams use it for misconfiguration remediation workflows, vulnerability prioritization based on runtime validation and internet exposure, incident triage on active issues, and real-time detection correlation via Defend webhooks. The Elastic Wiz integration ingests these signals into Elastic Security for unified search, dashboards, and CDR/misconfiguration/vulnerability workflows.
+
+## Data Collected (brief)
+
+The integration collects six data streams from Wiz via **CEL/GraphQL API** (OAuth service account) or **HTTP Endpoint** (Defend webhooks):
+
+| Data stream | Description |
+|---|---|
+| **audit** (`wiz.audit`) | Platform audit events—logins, mutation API calls, service account actions, user/service account identity, scopes, source IP, and outcome |
+| **issue** (`wiz.issue`) | Active cloud risks—severity, status, affected entity snapshot (resource type, cloud platform, subscription), source rules, projects, notes, and service ticket links |
+| **vulnerability** (`wiz.vulnerability`) | CVE findings on cloud assets—CVSS/EPSS scores, package and fixed version, detection method, vulnerable asset context (exposure, OS, IPs), and remediation guidance |
+| **cloud_configuration_finding** (`wiz.cloud_configuration_finding`) | CSPM rule evaluation results for changed/non-passing resources—rule metadata, pass/fail outcome, resource identity, and evidence |
+| **cloud_configuration_finding_full_posture** (`wiz.cloud_configuration_finding_full_posture`) | Full posture snapshot of all cloud configuration rule results across the estate |
+| **defend** (`wiz.defend`) | Real-time runtime detections via webhook—MITRE tactics/techniques, triggering events, process trees, container/Kubernetes context, actor IP with reputation, and affected cloud resources |
+
+Events are normalized to ECS where applicable (cloud, resource, rule, vulnerability, threat fields) with vendor details under `wiz.<data-stream>.*`. Elasticsearch transforms deduplicate latest misconfiguration and vulnerability findings for Elastic Security CDR views.
+
+## Expected Audit Log Entities
+
+Only **`audit`** (`wiz.audit`) is a true platform audit log: Wiz portal logins and mutation GraphQL/API actions with outcome, request ID, and identity context. The other five streams are audit-adjacent — aggregated risk state (**issue**), CVE findings (**vulnerability**), CSPM rule results (**cloud_configuration_finding**, **cloud_configuration_finding_full_posture**), and runtime detections (**defend**) — but actor/target semantics still matter for entity analytics and CDR correlation. No stream populates ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`; no `destination.user.*` / `destination.host.*` in pipelines (`destination_identity_hits.csv` has no wiz row). The target-fields audit classifies wiz as **`moderate_candidate`** with `pipeline_actor=true`, `fixture_strong=true`, and no ECS target tier-A mapping (`dev/target-fields-audit/out/target_enhancement_packages.csv`).
+
+**`event.action` is populated on two of six streams** — **`audit`** (portal/API operation from `json.action`) and **`defend`** (detection lifecycle from `trigger.type`). The four finding/inventory streams record state or evaluation outcomes without a mapped per-event verb; vendor fields below are action candidates.
+
+Evidence: `packages/wiz/data_stream/*/sample_event.json`, `*/_dev/test/pipeline/*-expected.json`, `*/elasticsearch/ingest_pipeline/default.yml`, `*/fields/fields.yml`.
+
+### Event action (semantic)
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `user-login` / `login` | authentication | high | `test-audit.log-expected.json`: `event.action: user-login` from vendor `" user Login"`; `sample_event.json`: `login` from `"Login"` | **`audit`** — portal OAuth/interactive login; pipeline lowercases and hyphenates whitespace |
+| `created` | detection | high | `test-defend.json-expected.json`: `event.action: created` from `trigger.type: Created` | **`defend`** — new runtime detection alert; not the underlying process technique |
+| *(no per-event verb)* | — | high | No `event.action` in issue/vulnerability/CSPM fixtures or pipelines | **`issue`**, **`vulnerability`**, **`cloud_configuration_finding`**, **`cloud_configuration_finding_full_posture`** — state/inventory sync (`event.kind: event`, `alert`, or `state`); action candidates are finding type, status, or rule outcome (see ECS candidates) |
+
+Mutation API audit actions beyond `Login` are implied by `wiz.audit.action` and OAuth `action_parameters.scopes` (e.g. `admin:audit`, `read:issues`) but no non-login audit fixtures exist in the package today.
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `json.action` → `event.action` | yes | yes | `user-login`, `login` | no | `audit/default.yml` trim/lowercase/split/join L56–75; original retained in `wiz.audit.action` L81–84 |
+| `wiz.audit.action` | no (vendor-only) | n/a | ` user Login`, `Login` | no | Canonical vendor string after pipeline removes intermediate copy |
+| `wiz.defend.trigger.type` → `event.action` | yes | yes | `created` | no | `defend/default.yml` rename L371–375, copy L376–380, lowercase/split/join L381–399 |
+| `wiz.issue.type` | no | n/a | `THREAT_DETECTION` | yes | `issue/default.yml` rename L404–406; fixture `test-issue.log-expected.json` — issue category, not a verb |
+| `wiz.issue.status.value` | no | n/a | `IN_PROGRESS` | partial | Finding workflow state; alternate to `type` if action must reflect status |
+| `wiz.vulnerability.status` | no | n/a | `OPEN` | partial | `vulnerability/default.yml` rename L380–382; finding lifecycle state, not scanner operation |
+| `wiz.vulnerability.detection_method` | no | n/a | `PACKAGE` | partial | Rename L157–158; describes how CVE was found, not an event verb |
+| `wiz.cloud_configuration_finding.result` → `result.evaluation` | no | n/a | `failed` (from vendor `FAIL`) | yes | CSPM pipeline L274–295 maps PASS/FAIL to `result.evaluation`; rule check outcome, not `event.action` today |
+| `rule.id` / `rule.name` | no | n/a | `Pod-32`, rule UUID | partial | Identifies which control was evaluated — complements outcome, not a substitute for action |
+| `event.type` / `event.category` / `event.outcome` | n/a (downstream) | partial | e.g. `authentication`, `configuration`, `vulnerability`, `threat` | no | Derived categories/outcomes; do not replace `event.action` |
+
+**Step 2b — per-stream check:**
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `audit` | yes | yes | `json.action` → normalize → `event.action` | high | `audit/default.yml` L56–75; `test-audit.log-expected.json`, `sample_event.json` |
+| `defend` | yes | yes | `wiz.defend.trigger.type` → `event.action` | high | `defend/default.yml` L371–399; `test-defend.json-expected.json` |
+| `issue` | no | no | `wiz.issue.type` (`THREAT_DETECTION`) | medium | `issue/default.yml` L404–406; `test-issue.log-expected.json` |
+| `vulnerability` | no | no | `wiz.vulnerability.detection_method` or omit (state stream) | low | No pipeline `event.action`; `test-vulnerability.log-expected.json` has `status: OPEN`, `detection_method: PACKAGE` |
+| `cloud_configuration_finding` | no | no | `result.evaluation` (`failed`/`passed`) or `rule.id` | medium | `cloud_configuration_finding/default.yml` L274–295; `test-cloud-configuration-finding.log-expected.json` |
+| `cloud_configuration_finding_full_posture` | no | no | Same as incremental CSPM | medium | Shared pipeline semantics; `test-cloud-configuration-finding-full-posture.log-expected.json` |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| Portal interactive user | user | — | high | `json.user.id`/`name` → `user.id`/`user.name` (`audit/default.yml`); `test-audit.log-expected.json`: `admin11` / `123abc` | **`audit`** — canonical human actor when `user` object present |
+| OAuth / service-account principal | user | service_account | high | `wiz.audit.service_account.id`/`name`; `action_parameters.user.id` + scopes in `related.user`; `sample_event.json` Login with `serviceAccount.name=elastic`, empty ECS `user.*` | **`audit`** — API/OAuth login when `user` is null; identity stays vendor-only or in `related.user` |
+| Client source IP | host | — | medium | `sourceIP` → `source.ip` + `related.ip` (`audit/default.yml`); null in `sample_event.json` Login fixture | **`audit`** — network origin of portal/API session |
+| Issue note author | user | — | low | `notes[].user.name`/`email` appended to `related.user` only (`issue/default.yml`); `test-issue.log-expected.json`: `admin`, `root` | **`issue`** — remediation commenter, not actor of underlying detection |
+| Wiz CNVM scanner | service | — | high | `observer.vendor: Wiz` set statically (`vulnerability/default.yml`) | **`vulnerability`** — automated scanner; no human/cloud-principal caller |
+| Wiz CSPM evaluator | service | — | high | `observer.vendor: Wiz` set statically (`cloud_configuration_finding*/default.yml`) | **`cloud_configuration_finding`**, **`cloud_configuration_finding_full_posture`** — automated rule evaluation |
+| Runtime triggering actor | user / general | process, service_account | high | `triggering_event.actor.id`/`name` → `user.id`/`user.name`; type `Process` in `test-defend.json-expected.json` (`Test Actor`) | **`defend`** — immediate runtime/cloud identity tied to triggering event |
+| Primary cloud identity (Defend) | user | service_account | high | `wiz.defend.primary_actor.*` vendor-only; Entra ID SP with email in `related.user` (`test-defend.json-expected.json`: `test-actor@wiz.io`) | **`defend`** — graph-level primary actor; richer than ECS `user.*` |
+| Process-tree OS user | user | — | medium | `runtime_details.process_tree[].username`/`user_id` → `related.user` (`defend/default.yml`); fixture: `root`, `0` | **`defend`** — local/container OS identity in process tree |
+| Assumed IAM role (acting-as) | user | assumed_role | medium | `wiz.defend.triggering_event.actor.acting_as.*` vendor-only; `IAMRole` / `AssumedRole` in pipeline test | **`defend`** — cloud role context for triggering actor |
+
+**No actor identity:** **`issue`** (underlying risk state), **`vulnerability`**, **`cloud_configuration_finding`**, **`cloud_configuration_finding_full_posture`** — no acting user or cloud principal in schema or fixtures. Evaluated cloud identities (e.g. AWS root) are **targets**, not actors.
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.id` | Portal user; Defend triggering actor | yes (stream-dependent) | yes (audit user login, defend actor); no (CSPM USER_ACCOUNT — see Gaps) | high | Audit: `json.user.id` copy; Defend: `triggering_event.actor.id` copy |
+| `user.name` | Portal user; Defend triggering actor | yes (stream-dependent) | yes (audit, defend); no (CSPM USER_ACCOUNT resource name) | high | Same pipeline sources as `user.id` |
+| `source.ip` | Audit client IP | yes | yes | high | `json.sourceIP` → `wiz.audit.source_ip` → `source.ip` |
+| `user_agent.*` | Audit browser/client | yes | yes | high | `json.userAgent` → `user_agent` processor |
+| `related.user` | OAuth IDs, note authors, Defend actors | yes | partial | high | Audit appends user id/name, OAuth userID/userpoolID/email; issue notes; defend primary + triggering + process-tree users — conflates actor and target contexts |
+| `source.geo` / `source.as.*` | Defend actor IP enrichment | yes | partial | high | `triggering_event.actorIP` geoip → `source.geo`; ASN org → `source.as` — **not** copied to `source.ip` |
+| `related.ip` | Audit source IP; asset IPs; Defend actor/subject IPs | yes | yes (context) | high | Audit `sourceIP`; vulnerability asset IPs; defend `actorIP` + `subject_resource_ip` |
+| `observer.vendor` | Scanner/evaluator identity | yes | yes (context) | high | Static `Wiz` on vulnerability and CSPM streams |
+| `wiz.audit.service_account.*` | OAuth/service-account actor | no (vendor-only) | n/a | high | `json.serviceAccount` rename; not promoted to ECS `user.*` when `user` null |
+| `wiz.audit.action_parameters.*` | OAuth client, scopes, userpool | no (vendor-only) | n/a | high | Scopes (`read:issues`, `admin:audit`) imply API surface accessed |
+| `wiz.defend.primary_actor.*` | Graph primary identity | no (vendor-only) | n/a | high | Entra SP email/name/id; only `related.user` overlap |
+| `wiz.defend.triggering_event.actor.acting_as.*` | Assumed-role context | no (vendor-only) | n/a | medium | `IAMRole` in defend pipeline test |
+| `cloud.account.id` / `cloud.region` | Tenancy scope | yes | yes (scope) | high | CSPM/vulnerability subscription and region fields — not actors |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Invoked SaaS or cloud platform | Wiz portal/API; EKS/Azure K8s | service | — | high (audit); medium (CSPM) | Audit: `event.action=login`, `event.category=authentication`; CSPM: `cloud.service.name` from `resource.cloudPlatform` (e.g. `eks`) | **`audit`** login targets Wiz session; **`cloud_configuration_finding*`** Layer 1 from cloud platform field |
+| 2 — Resource / object | Cloud asset under assessment or attack | VM, Pod, container, IAM root, ClusterRole | host / user / general | cloud_resource, container_workload, iam_identity | high | `resource.*`/`host.*` (CSPM, vulnerability); `wiz.issue.entity_snapshot.*`; `wiz.defend.primary_resource.*` | Type-dependent mapping by stream (see Per-stream notes) |
+| 3 — Content / artifact | Finding instance, API call, process/file | CVE+package; CSPM rule; process binary | general | cve_finding, cspm_rule, api_request, process_file | high | `vulnerability.*`/`package.*`; `rule.*` (IAM-006, Pod-32); `http.request.id`; defend process tree → `related.hash` | Layer 3 is the finding/detection artifact on Layer 2 asset |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `cloud.service.name` | 1 | service | yes (CSPM) | yes | `service.target.name` | yes | `resource.cloudPlatform` lowercase → `cloud.service.name: eks` in CSPM fixtures |
+| `http.request.id` | 3 | general | yes | yes (correlation id) | context-only | no | Audit `requestId` copy; tracks API call, not business object |
+| `wiz.audit.action` / `action_parameters.scopes` | 2 | general | no | n/a | context-only | no | Mutation API target classes implied by scopes; no object ID in fixtures |
+| `wiz.issue.entity_snapshot.*` | 2 | general | no | n/a | `entity.target.*` | yes | `ACCESS_ROLE`/`ClusterRole` in `test-issue.log-expected.json`; only `cloud.*`/`url.*` promoted |
+| `resource.id` / `resource.name` / `resource.type` | 2 | general | yes (CSPM, vulnerability) | yes | `entity.target.*` | yes | CSPM POD/VM/USER_ACCOUNT; vulnerability provider ARN |
+| `host.name` | 2 | host | yes | yes | `host.target.name` | yes | VM assets: CSPM + vulnerability (`test-4` in vulnerability fixture) |
+| `device.id` | 2 | host | yes | yes | `host.target.id` | yes | Vulnerability `vulnerable_asset.id` → `device.id` |
+| `container.image.name` | 2 | general | yes | yes | `entity.target.name` | yes | When `vulnerable_asset.type=CONTAINER_IMAGE` |
+| `user.id` / `user.name` (CSPM USER_ACCOUNT) | 2 | user | yes | **no** | `user.target.*` | yes | AWS root `arn:aws:iam::998231069301:root` mapped to `user.*` — evaluated **target** identity, not actor |
+| `vulnerability.id` / `package.*` | 3 | general | yes | yes | context-only | no | CVE and affected package on Layer 2 asset |
+| `rule.id` / `rule.name` | 3 | general | yes | yes | context-only | no | CSPM controls (Pod-32, IAM-006); Defend trigger rule |
+| `wiz.defend.primary_resource.*` | 2 | general | no | n/a | `entity.target.*` | yes | CONTAINER + K8s/EKS metadata in defend fixture; no ECS `resource.*` |
+| `wiz.defend.triggering_event.resources[]` | 2 | general | no | n/a | `entity.target.*` | yes | Same container workload as primary resource |
+| `wiz.defend.triggering_event.runtime_details.process_tree[]` | 3 | general | no | n/a | context-only | no | `/usr/bin/touch`, hash in `related.hash` |
+| `wiz.cloud_configuration_finding*.evidence.*` | 3 | general | partial | yes | context-only | no | Config path/current/expected values → `result.evidence.*` |
+| `targetExternalId` / `targetObjectProviderUniqueId` | 2 | general | no | n/a | `entity.target.id` | yes | Present in full-posture `event.original`; not mapped to ECS |
+| `destination.ip` | 2 | host | partial | partial | `host.target.ip` | yes | Defend pipeline maps `subjectResourceIp` → `destination.ip`; not in current defend test fixture |
+
+### Gaps and mapping notes
+
+- **`event.action` gaps on four streams** — `issue`, `vulnerability`, and both CSPM streams have vendor fields naming finding type, status, or rule outcome but no `event.action` mapping; recommended primary candidates per stream in Step 2b table above.
+- **No ECS `*.target.*` today** — richest target identity lives under `wiz.*` vendor fields (`entity_snapshot`, `primary_resource`, CSPM `resource.*`) or generic `resource.*`/`host.*`. Enhancement: promote typed targets to `entity.target.*`, `host.target.*`, or `user.target.*` by `resource.type`.
+- **CSPM `USER_ACCOUNT` → `user.*` is actor/target conflation** — pipeline copies evaluated IAM root/account to `user.id`/`user.name` (`set_user_id_if_user_account`); semantically a **Layer 2 user target**, not the scanner actor. Should map to `user.target.*`.
+- **Audit OAuth login without `user` object** — ECS `user.*` empty while `related.user` holds OAuth userID + userpoolID; canonical actor identity split across vendor (`service_account.*`) and `related.user`.
+- **`related.user` mixes roles** — audit OAuth IDs, issue note authors, defend primary + triggering + process-tree identities in one bag without actor/target distinction.
+- **Defend actor IP not in `source.ip`** — geo/ASN enrichment under `source.geo`/`source.as` only; `actorIP` also in `related.ip`. `destination.ip` from `subjectResourceIp` is a de-facto **target host IP** candidate but absent from test fixture.
+- **Issue stream: no ECS resource mapping** — `entity_snapshot.provider_id`/`external_id` stay vendor-only; only `cloud.provider`/`cloud.region` and parsed `url.*` promoted.
+- **No `destination.user.*` / `destination.host.*`** — wiz not in `destination_identity_hits.csv`; only defend sets `destination.ip` (subject resource).
+- **Target-fields audit alignment** — `moderate_candidate`: strong vendor targets and audit actor pipeline mappings (`pipeline_actor=true`, `fixture_strong=true`), but no tier-A ECS target fields.
+
+### Per-stream notes
+
+#### `audit`
+
+True platform audit. **`event.action`**: `json.action` normalized to `user-login`/`login` (`authentication` category when action contains `Login`). Actor: interactive `user.*` when present; OAuth/service-account logins use `wiz.audit.service_account.*` + `action_parameters.*` with `related.user` fallback. Target Layer 1: Wiz portal/API session. No explicit Layer 2 object ID in login fixtures; mutation actions implied by `wiz.audit.action` and OAuth scopes.
+
+#### `issue`
+
+Aggregated risk/issue state (`event.kind: event`). **No `event.action`**; candidate `wiz.issue.type: THREAT_DETECTION`. No event actor. Layer 2 target: `wiz.issue.entity_snapshot.*` (e.g. `ACCESS_ROLE` / `ClusterRole`). Note authors in `related.user` only. Contributing sensor rules under `wiz.issue.source_rules[]` (`source_type: WIZ_SENSOR`).
+
+#### `vulnerability`
+
+CNVM finding alert (`event.kind: alert`). **No `event.action`**; finding state in `wiz.vulnerability.status` (`OPEN`). Actor: Wiz scanner (`observer.vendor`). Layer 2: `vulnerable_asset` → `resource.*`, `host.name` (VM), `container.image.name` (image), `device.id`, `cloud.*`. Layer 3: CVE (`vulnerability.id`), package (`package.name`/`version`).
+
+#### `cloud_configuration_finding`
+
+Incremental CSPM rule results (`event.kind: state`). **No `event.action`**; rule outcome in `result.evaluation` (`failed`/`passed` from vendor `FAIL`/`PASS`). Actor: Wiz evaluator. Layer 1: `cloud.service.name` from platform. Layer 2: evaluated resource by type — POD/VM/USER_ACCOUNT → `resource.*` + conditional `host.name` or mis-mapped `user.*`. Layer 3: failing/passing rule (`rule.id`, `result.evaluation`).
+
+#### `cloud_configuration_finding_full_posture`
+
+Full posture snapshot; same pipeline semantics as incremental CSPM. **No `event.action`**. Raw originals include `targetExternalId`/`targetObjectProviderUniqueId` not mapped to ECS. Inventory/state semantics — no acting user.
+
+#### `defend`
+
+Runtime detection webhook alert (`event.kind: alert`). **`event.action`**: `created` from `trigger.type`. Actor: `triggering_event.actor` → ECS `user.*`; richer `primary_actor` vendor-only. Layer 2: `primary_resource` + `triggering_event.resources[]` (container/K8s) — vendor-only. Layer 3: process tree artifacts, Defend trigger `rule.*`, MITRE `threat.tactic.*`/`technique.*`. Optional `destination.ip` for subject resource IP when present in payload.
+
+## Example Event Graph
+
+Examples below come from **`audit`** (true platform audit log), **`defend`** (runtime detection webhook), and **`cloud_configuration_finding`** (CSPM state sync — audit-adjacent). Only `audit` and `defend` populate ECS `event.action` today; the CSPM example derives action from `result.evaluation`.
+
+### Example 1: Portal interactive user login
+
+**Stream:** `wiz.audit` · **Fixture:** `packages/wiz/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json`
+
+```
+Portal user admin11 → user-login → Wiz (service)
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 123abc |
+| name | admin11 |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.id`
+- `name` ← `user.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | user-login |
+| source_field | `event.action` |
+| source_value | user-login |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Wiz |
+| type | service |
+
+**Field sources:**
+- `name` ← semantic — SaaS platform being authenticated to; **not indexed** in fixture (`cloud.service.name` absent; `event.category: authentication`)
+- `type` ← service — authentication target is the Wiz portal/API, not the user account
+
+**Scope context (not target):** service account `op-us` (`wiz.audit.service_account.name`), request ID `8f7fa6bd-ce32-4f11-91b4-a0377438561e` (`http.request.id`, `event.id`).
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: admin11"] --> E["user-login"]
+  E --> T["Target: Wiz"]
+```
+
+### Example 2: Runtime timestomping on container
+
+**Stream:** `wiz.defend` · **Fixture:** `packages/wiz/data_stream/defend/_dev/test/pipeline/test-defend.json-expected.json`
+
+`event.action: created` refers to Wiz creating the detection record, not the runtime verb — reading “process created container” would be incoherent. The underlying behavior is timestomping on the container workload.
+
+```
+Runtime process (Test Actor) → Timestomping technique was detected → container test-container
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | 4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e |
+| name | Test Actor |
+| type | general |
+| sub_type | process |
+| geo | London, United Kingdom |
+| ip | 81.2.69.192 |
+
+**Field sources:**
+- `id` ← `wiz.defend.triggering_event.actor.id` (copied to `user.id` today)
+- `name` ← `wiz.defend.triggering_event.actor.name`
+- `sub_type` ← `wiz.defend.triggering_event.actor.type` (`Process`)
+- `geo` ← `source.geo.city_name`, `source.geo.country_name` (enriched from `wiz.defend.triggering_event.actor_ip`; not copied to `source.ip`)
+- `ip` ← `wiz.defend.triggering_event.actor_ip` (also in `related.ip`)
+
+Process tree also shows `username: root` executing `/usr/bin/touch` (`wiz.defend.triggering_event.runtime_details.process_tree`).
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | Timestomping technique was detected |
+| source_field | `wiz.defend.title` |
+| source_value | Timestomping technique was detected |
+
+ECS `event.action: created` is the alert-record lifecycle verb — **not the runtime action** shown here.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | da259b23-de77-5adb-8336-8c4071696305 |
+| name | test-container |
+| type | general |
+| sub_type | container_workload |
+
+**Field sources:**
+- `id` ← `wiz.defend.primary_resource.id`
+- `name` ← `wiz.defend.primary_resource.name`
+- `sub_type` ← `wiz.defend.primary_resource.type` (`CONTAINER`) + Kubernetes/EKS context (`kubernetes_cluster_name: prod-cluster`, `region: us-east-1`)
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: Test Actor (process)"] --> E["Timestomping detected"]
+  E --> T["Target: test-container"]
+```
+
+### Example 3: CSPM Pod rule evaluation failed
+
+**Stream:** `wiz.cloud_configuration_finding` · **Fixture:** `packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json` (first event)
+
+```
+Wiz CSPM evaluator → failed → Pod cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| name | Wiz |
+| type | service |
+
+**Field sources:**
+- `name` ← `observer.vendor`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | failed |
+| source_field | `result.evaluation` |
+| source_value | failed |
+
+**Not mapped to ECS `event.action` today** — derived from vendor `FAIL` normalized to `result.evaluation`.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99 |
+| name | cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx |
+| type | host |
+| sub_type | Pod |
+
+**Field sources:**
+- `id` ← `resource.id`
+- `name` ← `resource.name`
+- `sub_type` ← `resource.sub_type` (`Pod`)
+
+Layer 3 artifact: failing rule `Pod-32` (`rule.id`, `rule.name`).
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: Wiz"] --> E["failed"]
+  E --> T["Target: cluster-autoscaler pod"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** (CEL/HTTP Endpoint, six `data_stream/` directories with fixtures). Router: **`data_stream.dataset`** (`wiz.audit`, `wiz.issue`, `wiz.vulnerability`, `wiz.cloud_configuration_finding`, `wiz.cloud_configuration_finding_full_posture`, `wiz.defend`). Full actor/target extraction on **`wiz.audit`** and **`wiz.defend`**; partial on finding/CSPM streams (scanner **service** actor, resource/asset targets). Login auth targets the Wiz platform (**`service.target.name`** semantic literal per Pass 3 Example 1), not the portal user. CSPM **`USER_ACCOUNT`** ingest maps the evaluated IAM identity to **`user.*`** (actor/target conflation) — the detection-flags block excludes that pattern from `actor_exists` so the scanner **`service.name`** literal and **`user.target.*`** copy fallbacks remain reachable; all mapped columns use **column-level preserve** (`<col> IS NOT NULL`) as the first CASE branch — never `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so ingest `user.*` on USER_ACCOUNT rows is not inadvertently cleared, and audit `source.ip` fills `host.ip` independently of whether `user.id` is set. `event.action` is **ingest-only** on both `wiz.audit` (from `json.action`) and `wiz.defend` (from `trigger.type`); no ES|QL action block is needed.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `wiz.audit` | platform audit | user, host | service | full |
+| `wiz.defend` | runtime detection | user, general (process) | general (container) | full |
+| `wiz.cloud_configuration_finding` | CSPM state | service | host, user, service | partial |
+| `wiz.cloud_configuration_finding_full_posture` | CSPM snapshot | service | host, user, service | partial |
+| `wiz.vulnerability` | CVE findings | service | host, general | partial |
+| `wiz.issue` | risk state | — | general | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `wiz.audit.service_account.id` | `data_stream.dataset == "wiz.audit" AND user.id IS NULL` | high | **column-level preserve** (`user.id IS NOT NULL`); **vendor fallback** — OAuth/service-account login when ECS `user.id` absent; portal interactive user is **ingest-only** (`json.user.id` → `user.id`, `audit/default.yml`) |
+| `user.name` | `wiz.audit.service_account.name` | `data_stream.dataset == "wiz.audit" AND user.name IS NULL` | high | **column-level preserve** (`user.name IS NOT NULL`); **vendor fallback** — OAuth/service-account login; portal user `user.name` **ingest-only** |
+| `user.id` | — | `data_stream.dataset == "wiz.defend"` | high | **ingest-only** — `triggering_event.actor.id` → `user.id` (`defend/default.yml`); **omit from ES\|QL** (no alternate source) |
+| `user.name` | — | `data_stream.dataset == "wiz.defend"` | high | **ingest-only** — triggering actor name; **omit from ES\|QL** |
+| `host.ip` | `source.ip` | `data_stream.dataset == "wiz.audit" AND source.ip IS NOT NULL` | high | **column-level preserve** (`host.ip IS NOT NULL`); **vendor fallback** — `sourceIP` mapped to `source.ip` at ingest; `host.ip` not set by pipeline |
+| `service.name` | `"Wiz"` | `data_stream.dataset IN ("wiz.vulnerability", "wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture")` | high | **column-level preserve** (`service.name IS NOT NULL`); **semantic literal** — automated CNVM/CSPM scanner (`observer.vendor: Wiz` in fixtures, Pass 3 Ex. 3) |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `"Wiz"` | `data_stream.dataset == "wiz.audit" AND event.action IN ("user-login", "login")` | high | **column-level preserve** (`service.target.name IS NOT NULL`); **semantic literal** — SaaS platform being authenticated to (Pass 3 Ex. 1); `event.action` values confirmed in `test-audit.log-expected.json` and `sample_event.json` |
+| `service.target.name` | `cloud.service.name` | `data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND cloud.service.name IS NOT NULL` | high | **column-level preserve**; **preserve existing** — Layer 1 cloud platform; confirmed `eks` in CSPM fixture event 2 |
+| `entity.target.id` | `wiz.defend.primary_resource.id` | `data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.id IS NOT NULL` | high | **vendor fallback** — container `da259b23-…` in defend fixture; `wiz.defend.primary_resource.*` vendor-only (Pass 3 Ex. 2) |
+| `entity.target.name` | `wiz.defend.primary_resource.name` | `data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.name IS NOT NULL` | high | **vendor fallback** — `test-container` in defend fixture |
+| `entity.target.sub_type` | `wiz.defend.primary_resource.type` | `data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.type IS NOT NULL` | high | **vendor fallback** — `CONTAINER` in defend fixture |
+| `entity.target.id` | `wiz.issue.entity_snapshot.id` | `data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.id IS NOT NULL` | high | **vendor fallback** — `e507d472-…` in issue fixture |
+| `entity.target.name` | `wiz.issue.entity_snapshot.name` | `data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.name IS NOT NULL` | high | **vendor fallback** — `system:aggregate-to-edit` in issue fixture |
+| `entity.target.sub_type` | `wiz.issue.entity_snapshot.native_type` | `data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.native_type IS NOT NULL` | high | **vendor fallback** — `ClusterRole` in issue fixture |
+| `host.target.id` | `device.id` | `data_stream.dataset == "wiz.vulnerability" AND device.id IS NOT NULL` | high | **preserve existing** — `c828de0d-…` confirmed in vulnerability fixture; `vulnerableAsset.id` → `device.id` at ingest |
+| `host.target.name` | `host.name` | `data_stream.dataset == "wiz.vulnerability" AND host.name IS NOT NULL` | high | **preserve existing** — `test-4` confirmed in vulnerability fixture for `VIRTUAL_MACHINE` assets |
+| `host.target.id` | `resource.id` | `data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type IN ("POD", "VIRTUAL_MACHINE") AND resource.id IS NOT NULL` | high | **preserve existing** — `provider-id-0e814bb7-…` (POD) and `80045425-…` (VM) confirmed in CSPM fixtures |
+| `host.target.name` | `resource.name` | `data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "POD" AND resource.name IS NOT NULL` | high | **preserve existing** — `cluster-autoscaler-…` confirmed in CSPM fixture event 1 (Pass 3 Ex. 3) |
+| `host.target.name` | `host.name` | `data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "VIRTUAL_MACHINE" AND host.name IS NOT NULL` | high | **preserve existing** — `annam-vm` confirmed in CSPM fixture events 3–7 |
+| `user.target.id` | `user.id` | `data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.id IS NOT NULL` | medium | **de-facto destination** — ingest conflation fix at query time; `arn:aws:iam::998231069301:root` confirmed in CSPM fixture event 2; fallback reads from ingest `user.id` |
+| `user.target.name` | `user.name` | same | medium | **de-facto destination** — `Root user` confirmed in CSPM fixture event 2 |
+| `entity.target.id` | `resource.id` | `data_stream.dataset == "wiz.vulnerability" AND resource.id IS NOT NULL` | high | **preserve existing** — cloud resource ARN correlation; `arn:aws:ec2:…` confirmed in vulnerability fixture |
+| `entity.target.name` | `resource.name` | `data_stream.dataset == "wiz.vulnerability" AND resource.name IS NOT NULL` | high | **preserve existing** — `test-4` confirmed in vulnerability fixture |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset == "wiz.defend" AND destination.ip IS NOT NULL` | medium | **de-facto destination** — subject resource IP from `subjectResourceIp` → `destination.ip` pipeline; absent from current defend test fixture |
+
+### Detection flags (mandatory — run first)
+
+Tuned **`actor_exists`**: CSPM **`USER_ACCOUNT`** events populate `user.id`/`user.name` for the evaluated cloud IAM identity (actor/target conflation), not a human actor — those rows are excluded from `actor_exists` so the scanner `service.name` literal and `user.target.*` copy fallbacks remain reachable on those events. All mapped-column EVAL blocks use **column-level preserve** — not this flag as the first CASE condition.
+
+```esql
+| EVAL
+  actor_exists = (
+      user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+      OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+      OR service.id IS NOT NULL OR service.name IS NOT NULL
+      OR entity.id IS NOT NULL OR entity.name IS NOT NULL
+    )
+    AND NOT (
+      data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture")
+      AND resource.type == "USER_ACCOUNT"
+    ),
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+**Semantics:** `actor_exists` / `target_exists` / `action_exists` are query-time helpers only — **do NOT use them as the first branch in mapped column CASE expressions**. Every mapped column uses column-level preserve: `CASE(col IS NOT NULL, col, …)`. The CSPM USER_ACCOUNT exclusion in `actor_exists` does not null out ingest `user.*`; it only marks those rows as "no meaningful actor" for downstream logic.
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.id IS NOT NULL, wiz.audit.service_account.id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.name IS NOT NULL, wiz.audit.service_account.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "wiz.audit" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset IN ("wiz.vulnerability", "wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture"), "Wiz",
+    null
+  )
+```
+
+**Column notes:**
+- `user.id` / `user.name`: portal interactive user (`json.user.id`/`json.user.name`) and defend triggering actor are **ingest-only** — no alternate source; fallback only covers OAuth/service-account rows where ECS `user.*` is null at ingest. 5-arg CASE: preserve → `wiz.audit` guard + `IS NOT NULL` → null default.
+- `host.ip`: `source.ip` is indexed at ingest from `sourceIP` on audit events; `host.ip` is not set by the pipeline. Column-level preserve + `IS NOT NULL` guard on source.
+- `service.name`: semantic literal `"Wiz"` for scanner/evaluator datasets; 5-arg CASE with null default; no guard needed on literal branch but dataset restriction prevents false assignment.
+
+**ES|QL CASE arity reminder:** `CASE(cond, val, …, default)` — pairs of (boolean condition, return value), first true wins; last odd argument is the default. **4-arg form is wrong** for non-literal fallbacks — `CASE(col IS NOT NULL, col, vendor_field, null)` treats `vendor_field` as a boolean condition. Always use 5-arg: `CASE(col IS NOT NULL, col, dataset_guard AND src IS NOT NULL, src, null)`.
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "wiz.audit" AND event.action IN ("user-login", "login"), "Wiz",
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.id IS NOT NULL, wiz.defend.primary_resource.id,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.id IS NOT NULL, wiz.issue.entity_snapshot.id,
+    data_stream.dataset == "wiz.vulnerability" AND resource.id IS NOT NULL, resource.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.name IS NOT NULL, wiz.defend.primary_resource.name,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.name IS NOT NULL, wiz.issue.entity_snapshot.name,
+    data_stream.dataset == "wiz.vulnerability" AND resource.name IS NOT NULL, resource.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.type IS NOT NULL, wiz.defend.primary_resource.type,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.native_type IS NOT NULL, wiz.issue.entity_snapshot.native_type,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "wiz.vulnerability" AND device.id IS NOT NULL, device.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type IN ("POD", "VIRTUAL_MACHINE") AND resource.id IS NOT NULL, resource.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "wiz.vulnerability" AND host.name IS NOT NULL, host.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "POD" AND resource.name IS NOT NULL, resource.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "VIRTUAL_MACHINE" AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "wiz.defend" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.id IS NOT NULL, user.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.name IS NOT NULL, user.name,
+    null
+  )
+```
+
+**Column notes:**
+- `service.target.name`: two branches — audit login literal `"Wiz"` (3-arg literal branch embedded in multi-branch CASE); CSPM cloud platform passthrough. Both guarded by dataset condition; literal branch uses no `IS NOT NULL` guard (literal cannot be null).
+- `entity.target.*`: multi-branch across defend/issue/vulnerability; each branch has its own dataset guard and `IS NOT NULL` check on the source field.
+- `host.target.id` / `host.target.name`: CSPM branch restricted to `POD` and `VIRTUAL_MACHINE` resource types confirmed in fixtures; `IS NOT NULL` guards on `resource.id` and `host.name` prevent returning null from truthy conditions.
+- `user.target.id` / `user.target.name`: reads from ingest `user.id`/`user.name` (set by `set_user_id_if_user_account` processor); `IS NOT NULL` guard prevents null return; `actor_exists` exclusion flag ensures these rows are not treated as having a human actor.
+- `host.target.ip`: medium confidence; `destination.ip` from subject resource IP in defend pipeline but absent from test fixture.
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = (
+      user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+      OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+      OR service.id IS NOT NULL OR service.name IS NOT NULL
+      OR entity.id IS NOT NULL OR entity.name IS NOT NULL
+    )
+    AND NOT (
+      data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture")
+      AND resource.type == "USER_ACCOUNT"
+    ),
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.id IS NOT NULL, wiz.audit.service_account.id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "wiz.audit" AND wiz.audit.service_account.name IS NOT NULL, wiz.audit.service_account.name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "wiz.audit" AND source.ip IS NOT NULL, source.ip,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset IN ("wiz.vulnerability", "wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture"), "Wiz",
+    null
+  )
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "wiz.audit" AND event.action IN ("user-login", "login"), "Wiz",
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.id IS NOT NULL, wiz.defend.primary_resource.id,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.id IS NOT NULL, wiz.issue.entity_snapshot.id,
+    data_stream.dataset == "wiz.vulnerability" AND resource.id IS NOT NULL, resource.id,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.name IS NOT NULL, wiz.defend.primary_resource.name,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.name IS NOT NULL, wiz.issue.entity_snapshot.name,
+    data_stream.dataset == "wiz.vulnerability" AND resource.name IS NOT NULL, resource.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "wiz.defend" AND wiz.defend.primary_resource.type IS NOT NULL, wiz.defend.primary_resource.type,
+    data_stream.dataset == "wiz.issue" AND wiz.issue.entity_snapshot.native_type IS NOT NULL, wiz.issue.entity_snapshot.native_type,
+    null
+  ),
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "wiz.vulnerability" AND device.id IS NOT NULL, device.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type IN ("POD", "VIRTUAL_MACHINE") AND resource.id IS NOT NULL, resource.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "wiz.vulnerability" AND host.name IS NOT NULL, host.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "POD" AND resource.name IS NOT NULL, resource.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "VIRTUAL_MACHINE" AND host.name IS NOT NULL, host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "wiz.defend" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.id IS NOT NULL, user.id,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset IN ("wiz.cloud_configuration_finding", "wiz.cloud_configuration_finding_full_posture") AND resource.type == "USER_ACCOUNT" AND user.name IS NOT NULL, user.name,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, host.ip, service.name, service.target.name, entity.target.id, entity.target.name, entity.target.sub_type, host.target.id, host.target.name, host.target.ip, user.target.id, user.target.name
+```
+
+### Streams excluded
+
+None — all six datasets produce at least partial actor or target extraction. `wiz.issue` has no actor identity (risk-state aggregation only) but contributes `entity.target.*` target fields.
+
+### Gaps and limitations
+
+- **`event.action` block omitted** — `event.action` is set at ingest on `wiz.audit` (from `json.action`) and `wiz.defend` (from `trigger.type`); both are ingest-only with no alternate source field. No ES|QL action EVAL block is produced. Candidates on the four finding streams (`wiz.issue.type`, `result.evaluation`) are omitted to avoid false positives; documented as Pass 2 enhancement candidates.
+- **`user.id` / `user.name` ingest-only on defend** — `triggering_event.actor.id` → `user.id` is set by the defend pipeline; no alternate source at query time. Fallback branch omitted.
+- **`user.id` / `user.name` tautology guard** — portal interactive user on audit is also ingest-only; the audit CASE only fires when `user.id IS NULL` (OAuth/service-account login); column-level preserve ensures ingest `user.id` is not overwritten.
+- **`wiz.defend.primary_actor.*`** — richer graph-level actor identity (Entra SP name/email); vendor-only; not promoted to ECS `user.*` at ingest or in this ES|QL block. `related.user` contains email/name but mixed with other roles.
+- **`destination.ip` / `host.target.ip` on defend** — pipeline maps `subjectResourceIp` → `destination.ip`; field is absent from `test-defend.json-expected.json`; medium confidence, included with `IS NOT NULL` guard.
+- **`container.image.name` on vulnerability** — `CONTAINER_IMAGE` asset type maps name to `container.image.name` at ingest; query-time `entity.target.name` covers this via `resource.name` fallback only when `resource.name` is present (not all CONTAINER_IMAGE rows have `resource.name` in fixture).
+- **CSPM non-POD/non-VM/non-USER resource types** — `resource.type` values such as `SERVERLESS_FUNCTION`, `BUCKET`, `KUBERNETES_CLUSTER`, etc. are not guarded by current `host.target.*` or `user.target.*` CASE branches; add stream-specific guards per type before extending.
+- **No ingest-time `*.target.*` today** — no tier-A ECS target fields set by wiz pipelines; this section is query-time fill-gaps only. When pipelines are updated to emit `entity.target.*` etc., preserve-first CASE branches will automatically defer to ingest values.
diff --git a/dev/domain/p1/zscaler_zia.md b/dev/domain/p1/zscaler_zia.md
new file mode 100644
index 00000000000..1d9ed840969
--- /dev/null
+++ b/dev/domain/p1/zscaler_zia.md
@@ -0,0 +1,599 @@
+# zscaler_zia
+
+## Product Domain
+
+Zscaler Internet Access (ZIA) is a cloud-native Secure Access Service Edge (SASE) platform and secure web gateway (SWG) that sits inline between users, devices, and workloads and the public internet or SaaS applications. Part of the Zscaler Zero Trust Exchange, ZIA replaces legacy perimeter appliances—on-premises firewalls, proxy servers, and VPN backhaul—with a globally distributed cloud proxy architecture. User and workload traffic is steered to the nearest Zscaler point of presence via Zscaler Client Connector or GRE/IPsec tunnels, where it is terminated, identity-verified, and inspected before being forwarded to its destination.
+
+As a SWG, ZIA enforces URL filtering, SSL/TLS inspection, cloud application control, data loss prevention (DLP), sandboxing, and AI-powered threat protection on outbound web and SaaS traffic. Its cloud firewall and intrusion prevention capabilities extend policy enforcement to non-web protocols, blocking lateral movement and command-and-control activity at the network layer. ZIA is designed for cloud-first and mobile-first enterprises: policies are identity- and context-aware (user, device posture, location, application) rather than tied to a fixed network perimeter, making it a foundational component of modern SASE and zero trust architectures.
+
+From a security operations perspective, ZIA is the primary control point for internet-bound traffic. Security teams rely on ZIA telemetry to monitor web access decisions, detect malware and phishing, investigate DLP incidents, audit administrator activity, and correlate user and device identity with network events. Because ZIA inspects encrypted traffic at scale and applies policy before data reaches endpoints or cloud services, its logs are a critical signal for SIEM correlation, threat hunting, compliance auditing, and incident response across the enterprise estate.
+
+## Data Collected (brief)
+
+The integration collects ZIA logs from the Nanolog Streaming Service (NSS) via Elastic Agent **TCP** or **HTTP Endpoint** inputs, and sandbox analysis reports via a **CEL/API** input (OAuth 2.0). Eight data streams cover the main ZIA log types:
+
+| Data stream | Description |
+|---|---|
+| **web** | SWG access logs—URL, application, action, threat/DLP verdicts, SSL/TLS details, file metadata, bandwidth and policy rule labels |
+| **firewall** | Cloud firewall and IPS events—session allow/block, protocols, threat names, NAT/DNAT, rule labels, byte counts |
+| **dns** | DNS resolution logs—queries, responses, categories, DNS gateway rules, client and server endpoints |
+| **tunnel** | VPN/IPsec tunnel events—IKE phases, tunnel lifecycle, source/destination IPs, credentials, throughput |
+| **endpoint_dlp** | Endpoint DLP incidents—file transfers, DLP dictionary/engine hits, actions taken, channel and severity |
+| **audit** | ZIA Admin Portal audit logs—administrator actions, configuration changes, resource, result, and client IP |
+| **alerts** | Platform and cloud configuration alerts (e.g., NSS connectivity, service health) |
+| **sandbox_report** | Sandbox analysis reports fetched via API—file hashes, classification scores, exploit and networking indicators |
+
+Events arrive as JSON (or syslog for alerts) from NSS or Cloud NSS feeds and are mapped to ECS fields where applicable, with vendor-specific details retained under `zscaler_zia.<data-stream>.*`. Bundled Kibana dashboards visualize web, firewall, DNS, tunnel, endpoint DLP, audit, and sandbox activity.
+
+## Expected Audit Log Entities
+
+Classifications below are grounded in all eight data streams under `packages/zscaler_zia/data_stream/` — `sample_event.json`, pipeline test `*-expected.json` fixtures, `fields/fields.yml`, and `elasticsearch/ingest_pipeline/default.yml`.
+
+Only **audit** is a true ZIA Admin Portal audit log (NSS sourcetype `zscalernss-audit`). **web**, **firewall**, **dns**, **tunnel**, and **endpoint_dlp** are inline traffic or endpoint-incident telemetry (audit-adjacent for identity and policy correlation). **alerts** is operational NSS/platform syslog. **sandbox_report** is a CEL/API-fetched malware analysis artifact, not a live audit event.
+
+No stream populates ECS `user.target.*`, `host.target.*`, `service.target.*`, or `entity.target.*`. The package is classified **strong_candidate** in `dev/target-fields-audit/out/target_enhancement_packages.csv` (actor and target vendor signals present; no official target fields mapped). `destination.user.*` / `destination.host.*` are **not** used — `destination.*` holds network/session peers only (package absent from `destination_identity_hits.csv`).
+
+Six of eight streams map a vendor action field to `event.action` in the ingest pipeline. **dns** and **alerts** do not — vendor request/response actions and syslog message text remain the action candidates.
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| **audit** | yes | yes | `json.action` → `zscaler_zia.audit.action` → `event.action` | high | `activate`, `sign_out` in `test-audit.log-expected.json`; pipeline `set_event_action_from_audit_action` |
+| **web** | yes | yes | `json.action` → `zscaler_zia.web.action` → `event.action` | high | `allowed`, `blocked`, `cautioned` in `test-web.log-expected.json`; drives `event.outcome` |
+| **firewall** | yes | yes | `json.action` → `zscaler_zia.firewall.action` → `event.action` | high | `allowed`, `blocked`, `outofrange` in `test-firewall-http-endpoint.log-expected.json`; also appends to `event.type` |
+| **dns** | no | no | `json.reqaction` → `zscaler_zia.dns.request.action` (primary); `json.resaction` → `zscaler_zia.dns.response.action` (alternate) | high | `REQ_ALLOW`, `RES_Action` in `test-dns.log-expected.json`; pipeline renames only, no `event.action` set |
+| **tunnel** | partial | yes (when `json.event` present) | `json.event` → `zscaler_zia.tunnel.event` → `event.action`; alternate `json.Recordtype` → `zscaler_zia.tunnel.action.type` | high / medium | `ipsec-tunnel-is-up` when `event` populated; IPSec Phase2 records lack `event.action` (`test-tunnel.log-expected.json`) |
+| **endpoint_dlp** | yes | yes | `json.actiontaken` → `zscaler_zia.endpoint_dlp.action_taken` → `event.action` | high | `allow` in `test-endpoint-dlp.log-expected.json`; alternate `activitytype` → `zscaler_zia.endpoint_dlp.activity_type` (`email_sent`) |
+| **alerts** | no | no | Derive from syslog message pattern (e.g. `connection-lost`) | medium | Grok on `ZscalerNSS:` messages only; no structured action field in `test-alerts.log-expected.json` |
+| **sandbox_report** | yes | yes | `json.Summary.Status` → `zscaler_zia.sandbox_report.summary.status` → `event.action` | high | `completed` in `sandbox_report/sample_event.json` from vendor `COMPLETED` |
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+| `activate` | configuration_change | high | `audit/sample_event.json`, `test-audit.log-expected.json` | Admin activates a DLP dictionary or similar resource |
+| `sign_out` | authentication | high | `test-audit.log-expected.json` (`SIGN_OUT` → lowercase + gsub) | Admin portal logout; `event.category: iam` from category script |
+| `allowed` | data_access | high | `web/test-web.log-expected.json`, `web/sample_event.json` | SWG permit decision; sets `event.outcome: success`, `event.type: access` |
+| `blocked` | data_access | high | `web/test-web.log-expected.json`, `firewall/test-firewall-http-endpoint.log-expected.json` | SWG or cloud-firewall deny; web sets `event.outcome: failure`; firewall appends `event.type: denied` |
+| `cautioned` | data_access | high | `web/test-web.log-expected.json` | SWG caution/warn verdict (e.g. file attachment cautioned) |
+| `outofrange` | detection | high | `firewall/sample_event.json`, `test-firewall-http-endpoint.log-expected.json` | Firewall session outside policy range; `event.type: info` |
+| `req_allow` | data_access | high | `dns/test-dns.log-expected.json` (`REQ_ALLOW` vendor) | DNS request permitted — vendor-only today |
+| `res_action` | data_access | medium | `dns/test-dns.log-expected.json` (`RES_Action` vendor) | DNS response action — vendor-only; separate from request action |
+| `ipsec-tunnel-is-up` | configuration_change | high | `tunnel/test-tunnel.log-expected.json` | Tunnel lifecycle status from `json.event`; spaces → hyphens via gsub |
+| (IPSec phase record) | configuration_change | medium | `tunnel/test-tunnel.log-expected.json` | `Recordtype: IPSec Phase2` stored in `zscaler_zia.tunnel.action.type` only — not copied to `event.action` |
+| `allow` | data_access | high | `endpoint_dlp/sample_event.json`, `test-endpoint-dlp.log-expected.json` | DLP enforcement decision; appends `event.type: allowed` |
+| `block` | data_access | high | Pipeline logic in `endpoint_dlp/elasticsearch/ingest_pipeline/default.yml` | Would append `event.type: denied` when present |
+| `email_sent` | data_access | high | `endpoint_dlp/test-endpoint-dlp.log-expected.json` | Activity type describing exfil channel — vendor-only (`activity_type`) |
+| `connection-lost` | detection | medium | Inferred from alerts grok patterns | NSS feed or cloud-config connectivity failure — not mapped |
+| `completed` | detection | high | `sandbox_report/sample_event.json` | Sandbox analysis job finished (`Summary.Status: COMPLETED`) |
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `event.action` ← `zscaler_zia.audit.action` | yes | yes | `activate`, `sign_out` | no | `audit/elasticsearch/ingest_pipeline/default.yml` lines 340–359; lowercase + space→hyphen gsub |
+| `event.action` ← `zscaler_zia.web.action` | yes | yes | `allowed`, `blocked`, `cautioned` | no | `web/elasticsearch/ingest_pipeline/default.yml` lines 143–167; drives `event.outcome` |
+| `event.action` ← `zscaler_zia.firewall.action` | yes | yes | `allowed`, `blocked`, `outofrange` | no | `firewall/elasticsearch/ingest_pipeline/default.yml` lines 126–167; also feeds `event.type` |
+| `zscaler_zia.dns.request.action` | no | n/a | `req_allow` (from `REQ_ALLOW`) | yes | `dns/elasticsearch/ingest_pipeline/default.yml` lines 542–544; primary DNS request verdict |
+| `zscaler_zia.dns.response.action` | no | n/a | `res_action` (from `RES_Action`) | yes | `dns/elasticsearch/ingest_pipeline/default.yml` lines 579–581; secondary response verdict |
+| `event.action` ← `zscaler_zia.tunnel.event` | partial | yes (when present) | `ipsec-tunnel-is-up` | partial | `tunnel/elasticsearch/ingest_pipeline/default.yml` lines 315–339; absent for IPSec Phase2-only records |
+| `zscaler_zia.tunnel.action.type` | no | n/a | `ipsec-phase2`, `tunnel-event` (from `Recordtype`) | yes | `tunnel/elasticsearch/ingest_pipeline/default.yml` line 119–121; fallback when `json.event` missing |
+| `event.action` ← `zscaler_zia.endpoint_dlp.action_taken` | yes | yes | `allow`, `block` | no | `endpoint_dlp/elasticsearch/ingest_pipeline/default.yml` lines 109–151 |
+| `zscaler_zia.endpoint_dlp.activity_type` | no | n/a | `email_sent` | yes | Complementary verb describing what the user did; not copied to `event.action` |
+| (derived from alerts message) | no | n/a | `connection-lost` | yes | `alerts/elasticsearch/ingest_pipeline/default.yml` grok only; no `event.action` processor |
+| `event.action` ← `zscaler_zia.sandbox_report.summary.status` | yes | yes | `completed` | no | `sandbox_report/elasticsearch/ingest_pipeline/default.yml` lines 391–411 |
+
+### Actor (semantic)
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+| ZIA administrator | user | — | high | `adminid` → `user.email`/`user.name`/`user.domain`; `related.user` | **audit** only; always the acting admin (`example@zscaler.com`, `foo@example.com` in `test-audit.log-expected.json`) |
+| Authenticated end user | user | — | high | `login`/`user` → `user.email`/`user.name`; `related.user` | **web**, **dns**, **firewall** (when `user` contains `@`), **endpoint_dlp** (`TempUser` → `user.name` when not an email) |
+| Endpoint / managed device | host | — | high | `devicehostname`/`devicename` → `host.name`/`host.hostname`; `devicetype` → `host.type`; `deviceostype` → `host.os.type` | **web**, **dns**, **firewall**, **endpoint_dlp**; secondary actor context for the user session |
+| Device owner (MDM) | user | — | medium | `deviceowner` → `zscaler_zia.*.device.owner` → `related.user` | **web**, **dns**, **firewall**, **endpoint_dlp**; may differ from `login` user (e.g. `jsmith` owner vs `jdoe@safemarch.com` login in `dns/sample_event.json`) |
+| VPN credential / tunnel endpoint | user / host | — | medium | `json.user` → IP as `zscaler_zia.tunnel.user_ip` **or** non-IP string → `user.email` via `vpn_credential_name` | **tunnel**; `tunnel/sample_event.json` has IP-only (`user_ip`), no `user.*` populated |
+| NSS platform process | service | — | high | Syslog prefix `ZscalerNSS:`; no principal fields | **alerts** only |
+| (none) | — | — | high | No user/host/service identity fields in pipeline or fixtures | **sandbox_report** — API-polled analysis result with no submitter principal |
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+| `user.email` / `user.name` / `user.domain` | Admin or end-user actor | yes | yes | high | **audit**: `adminid` → dissect (`audit/elasticsearch/ingest_pipeline/default.yml`); **web**/**dns**/**firewall**: `login`/`user` URL-decoded then dissect; **endpoint_dlp**: `user` with email-fallback to `user.name` |
+| `source.ip` | Admin client or flow origin (context) | yes | partial | high | **audit**: `clientip` → admin workstation/API client, not actor identity; **web**/**dns**/**firewall**: client-side flow IP (`cltip`/`clt_sip`/`csip`), session context not principal |
+| `host.name` / `host.hostname` / `host.type` / `host.os.*` | Endpoint actor context | yes | yes | high | Device fields across traffic streams (`devicehostname`, `devicename`, `deviceostype`, etc.) |
+| `device.id` | MDM device identifier | yes | yes | high | **web**: `external_devid` → `zscaler_zia.web.external.device.id` → `device.id` (`web/sample_event.json`) |
+| `related.user` | Actor enrichment | yes | yes | high | Populated from `user.*` and `*.device.owner` across streams |
+| `related.hosts` / `related.ip` | Actor/endpoint enrichment | yes | yes | high | Host names and flow/tunnel IPs appended in all traffic streams |
+| `observer.vendor` / `observer.product` / `observer.type` | Inspecting appliance (context) | yes | n/a | high | **firewall** only: statically set `Zscaler` / `ZIA` / `firewall` — observer, not event actor |
+| `zscaler_zia.audit.admin_id` | Canonical admin actor | yes (vendor) | n/a | high | Retained when `preserve_duplicate_custom_fields`; removed otherwise after ECS copy |
+| `zscaler_zia.*.device.owner` | Device owner principal | yes (vendor) | n/a | medium | Vendor-only identity; copied to `related.user` but not `user.*` |
+| `zscaler_zia.tunnel.user_ip` / `zscaler_zia.tunnel.vpn_credential_name` | Tunnel user identity | yes (vendor) | partial | medium | IP stored as endpoint context; credential name copied to `user.email` when non-IP |
+| `zscaler_zia.web.login` / `zscaler_zia.dns.login` | Raw login string | yes (vendor) | n/a | high | Duplicate of actor email before ECS mapping; removed unless preserve tag |
+
+### Target (semantic)
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | Zscaler cloud tenant or inspected SaaS/application | Zscaler Internet Access (`zscaler.net`) | service | — | high | `cloudname` → `cloud.provider` (**web**, **dns**); `cloud.provider: zscaler.net` in fixtures | Scope context; no `cloud.service.name` set |
+| 1 — Platform / cloud service | Cloud/SaaS application under SWG policy | Adobe Connect, Google DNS, Skype, etc. | service | — | high | `appname` → `zscaler_zia.web.app.name`; `dnsapp`/`nwapp` → `network.application` | **web**, **dns**, **firewall** |
+| 1 — Platform / cloud service | ZIA Admin Portal / Experience Center | ZIA admin API or portal | service | — | high | `auditlogtype`: `ZIA Portal Audit Log`, `EC`; `event.category`/`event.type` from `category` script | **audit** |
+| 1 — Platform / cloud service | ZIA Sandbox analysis service | ZIA Cloud Sandbox | service | — | medium | CEL input fetches report; `event.category: malware` | **sandbox_report** |
+| 2 — Resource / object | Configuration or policy object changed by admin | DLP dictionary, firewall rule, IAM entity | general | configuration_object | high | `resource` → `rule.name`; `category`/`subcategory` → `rule.ruleset`/`rule.category` | **audit**; IAM categories (`USER_MANAGEMENT`, `ROLE_MANAGEMENT`) imply user/role targets but no ECS entity mapping |
+| 2 — Resource / object | Remote network / web destination | Destination host, URL, DNS name | host / general | url, dns_name, network_peer | high | `url.*`, `destination.domain`/`destination.ip`/`destination.port`, `dns.question.name` | **web**, **firewall**, **dns**, **tunnel** |
+| 2 — Resource / object | DLP policy rule triggered | DLP / URL / firewall rule labels | general | policy_rule | high | Multiple rule labels → ECS `rule.name` array | **web**, **firewall**, **endpoint_dlp**, **dns** |
+| 2 — Resource / object | Sensitive file acted upon | File on endpoint or in transit | general | file | high | `file.path`, `file.hash.*`, `file.name` | **web** (download/upload), **endpoint_dlp**, **sandbox_report** |
+| 2 — Resource / object | NSS SIEM feed or cloud-config endpoint | Log feed connection | service | — | high | `zscaler_zia.alerts.log_feed_name`; dissected `destination.ip`/`destination.port` | **alerts** |
+| 3 — Content / artifact | Threat / malware indicator | Named threat or file hash | general | threat_indicator, malware_sample | high | `zscaler_zia.web.threat.name`, `zscaler_zia.firewall.threat_name`, `file.hash.*`, `event.risk_score` | **web**, **firewall**, **sandbox_report** |
+| 3 — Content / artifact | Exfil channel / destination | Personal cloud, email, network drive | general | exfil_channel | high | `zscaler_zia.endpoint_dlp.destination_type`, `item.destination_name`, `channel` | **endpoint_dlp** |
+| 3 — Content / artifact | Before/after config state | Pre/post change JSON blobs | general | config_delta | low | `zscaler_zia.audit.pre_action` / `post_action` retained vendor-only | **audit**; not parsed into ECS target fields |
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| `rule.name` | 2 | general (policy/config object) | yes | partial | `entity.target.name` or context | yes | **audit**: `resource` copied — semantically a rule/config name, not always a firewall "rule"; **web**/**firewall**/**dns**/**endpoint_dlp**: policy rule labels |
+| `rule.category` / `rule.ruleset` | 2 | general (object type) | yes | partial | `entity.target.type` | yes | **audit**: `subcategory`/`category` describe target class (e.g. `DLP_DICTIONARY`, `USER_MANAGEMENT`) |
+| `url.domain` / `url.full` / `url.path` | 2 | general (url) | yes | yes | context | no | **web**: `b64url` decoded → `url.original`/`url.full` (`web/sample_event.json`) |
+| `destination.domain` / `destination.ip` / `destination.port` | 2 | host / general | yes | yes (network context) | context | no | Remote peer in **web**, **firewall**, **dns**, **tunnel**, **alerts** — network session target, not audit `*.target.*` |
+| `dns.question.name` / `dns.answers` | 2 | general (dns_name) | yes | yes | context | no | **dns**: `dns_req` → `dns.question.name`; answer data in `dns.answers` |
+| `network.application` | 1 | service | yes | yes | `service.target.name` | yes | **dns**/**firewall**: `dnsapp`/`nwapp` → application/service acted upon |
+| `cloud.provider` | 1 | service | yes | partial | context | no | **web**/**dns**: `cloudname` (e.g. `zscaler.net`) — tenant scope, not the remote SaaS target |
+| `file.path` / `file.hash.*` / `file.name` | 2–3 | general (file) | yes | yes | `entity.target.name` | yes | **endpoint_dlp**, **web**, **sandbox_report** |
+| `event.risk_score` | 3 | general (malware score) | yes | yes | context | no | **sandbox_report**: classification score |
+| `zscaler_zia.web.app.name` | 1 | service | yes (vendor) | n/a | `service.target.name` | yes | SaaS app label (e.g. `Adobe Connect` in `web/sample_event.json`); not mapped to ECS |
+| `zscaler_zia.audit.resource` | 2 | general (config object) | yes (vendor) | n/a | `entity.target.name` | yes | Canonical admin target; ECS uses overloaded `rule.name` |
+| `zscaler_zia.audit.pre_action` / `post_action` | 3 | general (config_delta) | yes (vendor) | n/a | `entity.target.*` | yes | JSON blobs may hold richer target identity; not parsed |
+| `zscaler_zia.firewall.threat_name` | 3 | general (threat) | yes (vendor) | n/a | context | no | IPS threat label; vendor-only |
+| `zscaler_zia.web.threat.name` | 3 | general (threat) | yes (vendor) | n/a | context | no | Web threat label; vendor-only |
+| `zscaler_zia.endpoint_dlp.item.destination_name` | 3 | general (exfil_destination) | yes (vendor) | n/a | `entity.target.name` | yes | Exfil target name; vendor-only |
+| `zscaler_zia.endpoint_dlp.destination_type` | 3 | general (exfil_channel) | yes (vendor) | n/a | context | no | e.g. `personal_cloud_storage` in `endpoint_dlp/sample_event.json` |
+| `zscaler_zia.alerts.log_feed_name` | 2 | service | yes (vendor) | n/a | `service.target.name` | yes | e.g. `DNS Logs Feed` in `alerts/sample_event.json` |
+
+### Gaps and mapping notes
+
+- **No official ECS target fields** — zero `*.target.*` mappings across all eight pipelines; aligns with target-fields-audit **strong_candidate** classification.
+- **`event.action` gaps on dns and alerts** — `reqaction`/`resaction` and syslog connectivity messages are not copied to `event.action`; highest-priority action enhancements.
+- **Tunnel action split** — `json.event` (lifecycle status) maps to `event.action` but `Recordtype` (IPSec phase) does not; consider `zscaler_zia.tunnel.action.type` as fallback.
+- **Endpoint DLP dual verbs** — `actiontaken` (policy verdict) maps to `event.action`; `activitytype` (e.g. `email_sent`) remains vendor-only and describes the user activity.
+- **`rule.name` overload** — audit `resource` and traffic rule labels share ECS `rule.name`; for admin IAM events (`USER_MANAGEMENT`, `ROLE_MANAGEMENT`) the resource may be a user account or role name deserving `entity.target.*` or `user.target.*`, not a firewall-style rule.
+- **`source.ip` vs actor** — consistently mapped from client/session IP fields; correct as flow origin but must not be interpreted as the human actor (especially **audit** admin actions where `user.email` is authoritative).
+- **`device.owner` → `related.user` only** — device owner identity never promoted to `user.*`; enhancement candidate when owner differs from authenticated `login`.
+- **`destination.*` is network context** — unlike email/auth integrations, ZIA uses `destination.ip`/`destination.domain` for remote peers and resolver endpoints, not de-facto audit targets; no `destination.user.*` usage.
+- **`cloud.provider` without `cloud.service.name`** — Zscaler tenant (`zscaler.net`) is scope; SaaS targets live in `zscaler_zia.web.app.name` or `url.*` without ECS service-target mapping.
+- **Unparsed audit deltas** — `preaction`/`postaction` may encode before/after target state for config changes; highest-value vendor-only enhancement source.
+- **Tunnel user ambiguity** — `json.user` is IP in fixtures but pipeline supports VPN credential name → `user.email`; classify per event.
+- **Sandbox and alerts lack human actors** — do not infer end-user submitter from sandbox reports or NSS connectivity alerts.
+
+### Per-stream notes
+
+#### audit
+
+Primary admin audit stream. **Action:** `json.action` → `event.action` (`activate`, `sign_out`); normalized lowercase with underscores/hyphens. Pipeline maps `adminid` → `user.*`, `clientip` → `source.ip`, `resource` → `rule.name`, `category`/`subcategory` → `rule.ruleset`/`rule.category`, and sets `event.category`/`event.type` from a category lookup script. Fixtures: Activate DLP dictionary (`DATA_LOSS_PREVENTION_RESOURCE`/`DLP_DICTIONARY`, resource `"SSL Rule Name"`) and SIGN_OUT (`LOGIN`/`LOGIN`, `resource: "None"` dropped). `errorcode` → `error.code` even when `result: SUCCESS`. Interface (`API`, `Unknown`) is admin path context.
+
+#### web
+
+SWG access log. **Action:** `json.action` → `event.action` (`allowed`, `blocked`, `cautioned`); sets `event.outcome` from allow/block. Actor: authenticated user (`login` → `user.*`) plus endpoint (`host.*`, `device.id`). Target layers: SaaS app (`zscaler_zia.web.app.name`), URL/destination (`url.*`, `destination.*`), optional file/threat (`file.*`, `zscaler_zia.web.threat.name`). DLP rule names append to `rule.name`.
+
+#### firewall
+
+Cloud firewall/IPS. **Action:** `json.action` → `event.action` (`allowed`, `blocked`, `outofrange`); `allowed`/`blocked` also append to `event.type`. Actor: user when `user`/`login` populated (`test-firewall.log-expected.json`); `firewall/sample_event.json` is IP-only (`user: Unknown` dropped). Observer statically identifies ZIA firewall. Target: remote endpoint (`destination.*`, `cltdomain` → `destination.domain`), application (`network.application`), IPS threat (`zscaler_zia.firewall.threat_name`).
+
+#### dns
+
+DNS resolution on managed devices. **Action:** `reqaction`/`resaction` → `zscaler_zia.dns.request.action` / `zscaler_zia.dns.response.action` only — **not** mapped to `event.action` (enhancement candidate: primary `req_allow`). Actor: `user`/`login` → `user.*`; device owner in `related.user`. Target: queried name (`dns.question.name`), resolver endpoint (`destination.ip`), DNS application (`network.application`).
+
+#### tunnel
+
+VPN/IPsec lifecycle. **Action:** `json.event` → `event.action` when present (`ipsec-tunnel-is-up`); IPSec Phase2 `Recordtype` events store phase in `zscaler_zia.tunnel.action.type` without `event.action`. Actor: tunnel endpoint IPs (`source.ip`, `zscaler_zia.tunnel.source.*`); optional VPN credential name → `user.email`. Target: tunnel peer (`destination.ip`, `zscaler_zia.tunnel.destination.end.ip`). No user in `tunnel/sample_event.json`.
+
+#### endpoint_dlp
+
+Endpoint DLP incident. **Action:** `actiontaken` → `event.action` (`allow`, `block`); `activitytype` (`email_sent`) is vendor-only activity descriptor. Actor: `user` → `user.name` (non-email usernames supported); `device.owner` → `related.user`. Target: file (`file.path`, `file.hash.*`), exfil destination (`zscaler_zia.endpoint_dlp.item.destination_name`, `destination_type`), DLP rules (`rule.name`).
+
+#### alerts
+
+NSS operational syslog (feed connectivity, cloud-config loss). **Action:** no `event.action`; grok extracts feed name and destination from `ZscalerNSS:` messages — derive `connection-lost` as enhancement candidate. No human actor. Target: SIEM feed name or remote endpoint (`zscaler_zia.alerts.log_feed_name`, `destination.ip`/`destination.port`).
+
+#### sandbox_report
+
+CEL/API sandbox analysis. **Action:** `Summary.Status` → `event.action` (`completed`). No actor. Target: submitted file (`file.hash.*`, `zscaler_zia.sandbox_report.file_properties.*`, `event.risk_score`, classification under `zscaler_zia.sandbox_report.classification.*`).
+
+## Example Event Graph
+
+Examples below come from the **audit** (true ZIA Admin Portal audit log), **web**, and **dns** streams (inline NSS telemetry, audit-adjacent for identity and policy correlation). Values are taken only from pipeline test fixtures under `packages/zscaler_zia/`.
+
+### Example 1: Admin activates DLP dictionary
+
+**Stream:** `zscaler_zia.audit` · **Fixture:** `packages/zscaler_zia/data_stream/audit/sample_event.json`
+
+```
+ZIA administrator (example@zscaler.com) → activate → DLP dictionary "SSL Rule Name"
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | example@zscaler.com |
+| name | example |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.email`
+- `name` ← `user.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | activate |
+| source_field | `event.action` |
+| source_value | activate |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | SSL Rule Name |
+| name | SSL Rule Name |
+| type | general |
+| sub_type | dlp_dictionary |
+
+**Field sources:**
+- `id` ← `rule.name`
+- `name` ← `rule.name`
+- `sub_type` ← `rule.category` (`DLP_DICTIONARY`)
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: example@zscaler.com"] --> E["activate"]
+  E --> T["Target: SSL Rule Name"]
+```
+
+### Example 2: SWG blocks malware download
+
+**Stream:** `zscaler_zia.web` · **Fixture:** `packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json`
+
+```
+End user (mjones@acmecorp.com) → blocked → Dropbox / www.dropbox.com/download
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | mjones@acmecorp.com |
+| name | mjones |
+| type | user |
+
+**Field sources:**
+- `id` ← `user.email`
+- `name` ← `user.name`
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | blocked |
+| source_field | `event.action` |
+| source_value | blocked |
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | Dropbox |
+| type | service |
+| sub_type | protected_web_app |
+
+**Field sources:**
+- `name` ← `zscaler_zia.web.app.name` (SaaS application); URL context in `url.full` (`https://www.dropbox.com/download`)
+- Threat context: `zscaler_zia.web.threat.name` ← `Trojan.GenericKD`; file `malware.exe` in `file.name`
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: mjones@acmecorp.com"] --> E["blocked"]
+  E --> T["Target: Dropbox"]
+```
+
+### Example 3: DNS query permitted (vendor action only)
+
+**Stream:** `zscaler_zia.dns` · **Fixture:** `packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json`
+
+```
+End user (jdoe1@safemarch.com) → req_allow → DNS name mail.safemarch.com
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | jdoe1@safemarch.com |
+| name | jdoe1 |
+| type | user |
+| ip | 81.2.69.192 |
+
+**Field sources:**
+- `id` ← `user.email`
+- `name` ← `user.name`
+- `ip` ← `source.ip` (client-side flow IP for the DNS session, not the human principal)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | req_allow |
+| source_field | `zscaler_zia.dns.request.action` |
+| source_value | REQ_ALLOW |
+
+**Not mapped to ECS `event.action` today** — derived from vendor request verdict field.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| name | mail.safemarch.com |
+| type | general |
+| sub_type | dns_name |
+| ip | 175.16.199.0 |
+
+**Field sources:**
+- `name` ← `dns.question.name`
+- `ip` ← `destination.ip` (DNS resolver/server endpoint)
+- `geo` omitted — `destination.geo` (Changchun, CN) describes the resolver location, not the queried name
+
+#### Mermaid (optional)
+
+```mermaid
+flowchart LR
+  A["Actor: jdoe1@safemarch.com"] --> E["req_allow"]
+  E --> T["Target: mail.safemarch.com"]
+```
+
+## ES|QL Entity Extraction
+
+**Package type: agent-backed** — eight NSS/API data streams with Tier A fixtures (`sample_event.json`, `*-expected.json`) and ingest pipelines under `packages/zscaler_zia/data_stream/`. Primary router: **`data_stream.dataset`** (`zscaler_zia.<stream>`). Pass 4 is **fill-gaps-only**: detection flags run first for query semantics; mapped columns use **column-level** `CASE(<col> IS NOT NULL, <col>, fallback, null)` — not `CASE(actor_exists, user.id, …)` when `user.email` alone satisfies `actor_exists` while `user.id` stays empty (Pass 4 §10). **`zscaler_zia.audit`** uses `event.action`-aware portal targets on auth/config events (Pass 3). Traffic streams enrich SaaS/DNS/file/network targets; **`alerts`** and **`sandbox_report`** have no human actor in fixtures.
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `zscaler_zia.audit` | admin audit | user | general (config object), service (portal) | full |
+| `zscaler_zia.web` | SWG access | user, host | service, host/url | partial |
+| `zscaler_zia.firewall` | cloud firewall | user, host | host, service | partial |
+| `zscaler_zia.dns` | DNS log | user, host | general (dns_name), host (resolver) | partial |
+| `zscaler_zia.tunnel` | VPN/IPsec | user, host | host | partial |
+| `zscaler_zia.endpoint_dlp` | endpoint DLP | user, host | general (file, exfil) | partial |
+| `zscaler_zia.alerts` | platform alerts | — | service | partial |
+| `zscaler_zia.sandbox_report` | sandbox API | — | general (file/malware) | partial |
+
+### Field mapping plan
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | `user.email` | `data_stream.dataset IN ("zscaler_zia.audit", "zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.dns", "zscaler_zia.endpoint_dlp")` | high | preserve existing; fallback id from email when `user.id` empty |
+| `user.name` | `user.name` (ingest dissect) | same IN list + `zscaler_zia.tunnel` | high | **ingest-only — no ES|QL**; pipeline sets from `login`/`adminid`/`vpn_credential_name` |
+| `user.email` | `user.email` (ingest dissect) | same IN list + `zscaler_zia.tunnel` | high | **ingest-only — no ES|QL**; no alternate query-time source |
+| `user.domain` | `user.domain` (ingest dissect) | `data_stream.dataset == "zscaler_zia.audit"` | high | **ingest-only — no ES|QL**; admin `adminid` dissect only |
+| `host.name` | `host.name` (ingest) | `data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.dns", "zscaler_zia.firewall", "zscaler_zia.endpoint_dlp")` | high | **ingest-only — no ES|QL**; `devicehostname`/`devicename` at ingest |
+| `host.ip` | `source.ip` | `data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.dns", "zscaler_zia.firewall", "zscaler_zia.tunnel")` | high | preserve existing; fallback client/session IP when `host.ip` empty |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `service.target.name` | `"ZIA Admin Portal"` | `data_stream.dataset == "zscaler_zia.audit" AND event.action IN ("sign_out", "activate")` | low | semantic literal — portal target (Pass 3); fallback only |
+| `entity.target.name` | `rule.name` | `data_stream.dataset == "zscaler_zia.audit"` | high | preserve existing; admin `resource` (e.g. DLP dictionary) |
+| `entity.target.sub_type` | `rule.category` | `data_stream.dataset == "zscaler_zia.audit"` | high | preserve existing; e.g. `DLP_DICTIONARY` |
+| `service.target.name` | `zscaler_zia.web.app.name` | `data_stream.dataset == "zscaler_zia.web"` | high | vendor fallback — SaaS app (Dropbox) |
+| `host.target.name` | `url.domain` | `data_stream.dataset == "zscaler_zia.web" AND url.domain IS NOT NULL` | high | preserve existing; remote web host |
+| `host.target.ip` | `destination.ip` | `data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.tunnel")` | high | preserve existing; network peer — not `user.target.*` |
+| `entity.target.name` | `dns.question.name` | `data_stream.dataset == "zscaler_zia.dns"` | high | preserve existing; queried name (Pass 3) |
+| `entity.target.sub_type` | `"dns_name"` | `data_stream.dataset == "zscaler_zia.dns"` | low | semantic literal — Pass 3 classification |
+| `entity.target.name` | `file.name` | `data_stream.dataset IN ("zscaler_zia.endpoint_dlp", "zscaler_zia.sandbox_report")` | high | preserve existing |
+| `entity.target.name` | `zscaler_zia.endpoint_dlp.item.destination_name` | `data_stream.dataset == "zscaler_zia.endpoint_dlp"` | high | vendor fallback — exfil destination |
+| `service.target.name` | `zscaler_zia.alerts.log_feed_name` | `data_stream.dataset == "zscaler_zia.alerts"` | high | vendor fallback — NSS feed |
+| `service.target.name` | `network.application` | `data_stream.dataset IN ("zscaler_zia.dns", "zscaler_zia.firewall")` | high | preserve existing; DNS/firewall app label |
+
+#### Event action mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `event.action` | `event.action` | six streams with pipeline mapping | high | preserve existing |
+| `event.action` | `TO_LOWER(zscaler_zia.dns.request.action)` | `data_stream.dataset == "zscaler_zia.dns"` | medium | vendor fallback — `REQ_ALLOW` → `req_allow` (Pass 3) |
+| `event.action` | `TO_LOWER(REPLACE(zscaler_zia.tunnel.action.type, " ", "-"))` | `data_stream.dataset == "zscaler_zia.tunnel" AND event.action IS NULL` | medium | vendor fallback — IPSec Phase2 when `json.event` absent |
+
+**Detection flags predicate (tuned):** `actor_exists` checks `user.*` and `host.name`/`host.ip` only (no `service.*` actor on ZIA). `target_exists` checks all `*.target.*` namespaces. Omit `user.target.*` / `host.target.id` — package maps none today. **Actor/target/action `EVAL` blocks use column-level preserve** (`<col> IS NOT NULL`) — not `CASE(actor_exists, <col>, …)` / `CASE(target_exists, <col>, …)` — so e.g. populated `user.email` does not block `user.id` ← `user.email` or `entity.target.name` ← `rule.name` on empty siblings (Pass 4 §10).
+
+### Detection flags (mandatory — run first)
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL OR user.domain IS NOT NULL
+    OR host.name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+### Optional classification helpers (when needed)
+
+Set in **fallback** branch only (after column-level `entity.target.* IS NOT NULL` preserve in target `EVAL`):
+
+- `entity.target.type` — `general` (audit, dns, endpoint_dlp), `service` (web)
+- `entity.target.sub_type` — `rule.category` on audit; literal `"dns_name"` on dns
+
+### Combined ES|QL — actor fields
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("zscaler_zia.audit", "zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.dns", "zscaler_zia.endpoint_dlp"), user.email,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.dns", "zscaler_zia.firewall", "zscaler_zia.tunnel"), source.ip,
+    null
+  )
+```
+
+Omitted from actor `EVAL` (ingest-only — no alternate query-time source): `user.name`, `user.email`, `user.domain`, `host.name`. Detection flags still preserve them when populated.
+
+### Combined ES|QL — event action
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "zscaler_zia.dns" AND zscaler_zia.dns.request.action IS NOT NULL, TO_LOWER(zscaler_zia.dns.request.action),
+    data_stream.dataset == "zscaler_zia.tunnel" AND zscaler_zia.tunnel.action.type IS NOT NULL, TO_LOWER(REPLACE(zscaler_zia.tunnel.action.type, " ", "-")),
+    null
+  )
+```
+
+### Combined ES|QL — target fields
+
+```esql
+| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "zscaler_zia.audit" AND event.action IN ("sign_out", "activate"), "ZIA Admin Portal",
+    data_stream.dataset == "zscaler_zia.web", zscaler_zia.web.app.name,
+    data_stream.dataset == "zscaler_zia.alerts", zscaler_zia.alerts.log_feed_name,
+    data_stream.dataset IN ("zscaler_zia.dns", "zscaler_zia.firewall") AND network.application IS NOT NULL, network.application,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "zscaler_zia.audit", rule.name,
+    data_stream.dataset == "zscaler_zia.dns", dns.question.name,
+    data_stream.dataset == "zscaler_zia.endpoint_dlp" AND zscaler_zia.endpoint_dlp.item.destination_name IS NOT NULL, zscaler_zia.endpoint_dlp.item.destination_name,
+    data_stream.dataset IN ("zscaler_zia.endpoint_dlp", "zscaler_zia.sandbox_report"), file.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "zscaler_zia.audit", rule.category,
+    data_stream.dataset == "zscaler_zia.dns", "dns_name",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "zscaler_zia.audit", "general",
+    data_stream.dataset == "zscaler_zia.web", "service",
+    data_stream.dataset == "zscaler_zia.dns", "general",
+    data_stream.dataset == "zscaler_zia.endpoint_dlp", "general",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "zscaler_zia.web" AND url.domain IS NOT NULL, url.domain,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.tunnel"), destination.ip,
+    null
+  )
+```
+
+### Full pipeline fragment (optional)
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL OR user.domain IS NOT NULL
+    OR host.name IS NOT NULL OR host.ip IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset IN ("zscaler_zia.audit", "zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.dns", "zscaler_zia.endpoint_dlp"), user.email,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.dns", "zscaler_zia.firewall", "zscaler_zia.tunnel"), source.ip,
+    null
+  ),
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "zscaler_zia.dns" AND zscaler_zia.dns.request.action IS NOT NULL, TO_LOWER(zscaler_zia.dns.request.action),
+    data_stream.dataset == "zscaler_zia.tunnel" AND zscaler_zia.tunnel.action.type IS NOT NULL, TO_LOWER(REPLACE(zscaler_zia.tunnel.action.type, " ", "-")),
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "zscaler_zia.audit" AND event.action IN ("sign_out", "activate"), "ZIA Admin Portal",
+    data_stream.dataset == "zscaler_zia.web", zscaler_zia.web.app.name,
+    data_stream.dataset == "zscaler_zia.alerts", zscaler_zia.alerts.log_feed_name,
+    data_stream.dataset IN ("zscaler_zia.dns", "zscaler_zia.firewall") AND network.application IS NOT NULL, network.application,
+    null
+  ),
+  entity.target.name = CASE(
+    entity.target.name IS NOT NULL, entity.target.name,
+    data_stream.dataset == "zscaler_zia.audit", rule.name,
+    data_stream.dataset == "zscaler_zia.dns", dns.question.name,
+    data_stream.dataset == "zscaler_zia.endpoint_dlp" AND zscaler_zia.endpoint_dlp.item.destination_name IS NOT NULL, zscaler_zia.endpoint_dlp.item.destination_name,
+    data_stream.dataset IN ("zscaler_zia.endpoint_dlp", "zscaler_zia.sandbox_report"), file.name,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "zscaler_zia.audit", rule.category,
+    data_stream.dataset == "zscaler_zia.dns", "dns_name",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "zscaler_zia.audit", "general",
+    data_stream.dataset == "zscaler_zia.web", "service",
+    data_stream.dataset == "zscaler_zia.dns", "general",
+    data_stream.dataset == "zscaler_zia.endpoint_dlp", "general",
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "zscaler_zia.web" AND url.domain IS NOT NULL, url.domain,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset IN ("zscaler_zia.web", "zscaler_zia.firewall", "zscaler_zia.tunnel"), destination.ip,
+    null
+  )
+| KEEP @timestamp, data_stream.dataset, event.action, user.email, user.name, user.id, host.ip, entity.target.name, entity.target.sub_type, entity.target.type, service.target.name, host.target.name, host.target.ip, rule.category
+```
+
+### Streams excluded
+
+*(none fully excluded — `zscaler_zia.alerts` and `zscaler_zia.sandbox_report` have partial actor/action extraction only)*
+
+### Gaps and limitations
+
+- **Ingest-only actor columns** — `user.name`, `user.email`, `user.domain`, and `host.name` are set by dissect/ingest on all cited streams; no ES|QL `CASE` (Pass 4 #10 — omit identity no-ops). Only `user.id` ← `user.email` and `host.ip` ← `source.ip` have real fallbacks.
+- **Column-level preserve (§10)** — `actor_exists` / `target_exists` are query-time helpers only; mapped `CASE` uses `<col> IS NOT NULL` (5-arg preserve+fallback), not `CASE(actor_exists, user.id, user.email, null)` (4-arg — `user.email` parses as a **condition**, not a value).
+- **`zscaler_zia.alerts`** — no `event.action` or human actor; omit `connection-lost` literal (grok-only, medium confidence).
+- **`device.owner`** — `related.user` only; do not promote to `user.*` when owner differs from `login`.
+- **`destination.*` on DNS** — resolver IP is session context (`host.target.ip` optional); semantic target is `dns.question.name` (Pass 3).
+- **`rule.name` overload** — audit config resource vs traffic policy labels; guard with `data_stream.dataset`.
+- **`user.target.*`** — intentionally omitted; IAM admin events may need ingest mapping (`USER_MANAGEMENT`).
+- **`pre_action`/`post_action`** — unparsed JSON deltas; ingest enhancement before richer `entity.target.*`.
+- **Sandbox submitter** — no actor principal in fixtures; do not infer end user.
+- **DNS `TO_LOWER` on `REQ_ALLOW`** — yields `req_allow`; ingest should mirror audit/web gsub for consistency.
diff --git a/dev/domain/prompts/README.md b/dev/domain/prompts/README.md
new file mode 100644
index 00000000000..474dc0e0183
--- /dev/null
+++ b/dev/domain/prompts/README.md
@@ -0,0 +1,318 @@
+# Domain analysis prompts
+
+Reusable sub-agent prompts for building per-integration domain documents under `dev/domain/`. Each integration gets a markdown file describing what the vendor product is, what data the Elastic package collects, and what actor/target entities appear in its logs.
+
+## Workflow overview
+
+Analysis runs in **four sequential passes**. Each pass appends to the same markdown file.
+
+**Before Pass 2–4:** classify the package per [package-capability.md](package-capability.md) — **agent-backed** vs **assets-only** (dashboards/content, no `data_stream/`). Assets-only packages must not use fixture-grounded example workflows.
+
+```
+Integration list
+       │
+       ▼
+┌──────────────────────┐
+│ Pass 1: Domain       │  one sub-agent per integration
+│ knowledge            │  → creates dev/domain/p1/{integration}.md
+└──────────┬───────────┘
+           │
+           ▼
+┌──────────────────────┐
+│ Pass 2: Actor /      │  one sub-agent per integration
+│ target / action      │  → appends detailed audit entity analysis
+└──────────┬───────────┘
+           │
+           ▼
+┌──────────────────────┐
+│ Pass 3: Event graph  │  one sub-agent per integration
+│ example              │  → appends simple Actor → action → Target examples
+└──────────┬───────────┘
+           │
+           ▼
+┌──────────────────────┐
+│ Pass 4: ES|QL entity │  one sub-agent per integration
+│ extraction           │  → appends EVAL/CASE actor + target mappings
+└──────────┬───────────┘
+           │
+           ▼
+   dev/domain/p1/{integration}.md
+```
+
+## Prompts
+
+| File | Pass | Action |
+| --- | ---: | --- |
+| [`domain-knowledge.md`](domain-knowledge.md) | 1 | **Create** the domain doc — product domain + data streams |
+| [`actor-target-classification.md`](actor-target-classification.md) | 2 | **Append** audit entity analysis — actor / action / target + ECS mapping |
+| [`event-graph-example.md`](event-graph-example.md) | 3 | **Append** 1–3 simple Actor → event.action → Target examples |
+| [`esql-entity-mapping.md`](esql-entity-mapping.md) | 4 | **Append** ES\|QL `EVAL`/`CASE` actor + target field extraction |
+| [`package-capability.md`](package-capability.md) | — | **Reference** — detect agent-backed vs assets-only; evidence tiers A/B/C |
+
+## How to run
+
+### 1. Choose integrations
+
+Provide a list of package names (must exist under `packages/`). Example batch: `wiz`, `aws_bedrock`, `fortinet_fortigate`.
+
+### 2. Set variables
+
+Substitute these in the prompt template before dispatching each sub-agent:
+
+| Variable | Value |
+| --- | --- |
+| `{integration}` | Package name, e.g. `wiz` |
+| `{output_path}` | `dev/domain/p1/{integration}.md` |
+| `{repo_root}` | Absolute path to this repo |
+
+### 3. Dispatch sub-agents
+
+- **One sub-agent per integration** — keeps context focused and limits token use.
+- **Run Pass 1 for all integrations first**, then Pass 2, then Pass 3, then Pass 4.
+- **Batch in parallel** (e.g. 8–10 at a time) when orchestrating from a parent agent.
+- Sub-agents do **not** see the parent conversation — the prompt must be self-contained with all paths and instructions.
+- Include the [scope guardrails](#scope-guardrails) in every prompt — sub-agents must not read other integrations' domain docs or packages unless explicitly allowed by the target package README.
+
+### 4. Review output
+
+Each completed file under `dev/domain/p1/` should contain:
+
+```markdown
+# {integration}
+
+## Product Domain
+…
+
+## Package capability
+agent-backed | assets-only | assets-with-sibling
+
+## Data Collected (brief)
+…
+
+## Expected Audit Log Entities
+…
+### Event action (semantic)
+…
+### Event action (ECS candidates)
+…
+### Actor (semantic)
+…
+### Actor (ECS candidates)
+…
+### Target (semantic)
+…
+### Target (ECS candidates)
+…
+### Gaps and mapping notes
+…
+
+## Example Event Graph
+…
+### Example 1: …
+…
+
+## ES|QL Entity Extraction
+…
+### Dataset inventory
+…
+### Combined ES|QL — actor fields
+…
+### Combined ES|QL — target fields
+…
+```
+
+Pass 1 produces only the first two sections. Pass 2 appends audit entity analysis. Pass 3 appends readable graph examples. Pass 4 appends ES|QL extraction mappings.
+
+Pass 2 analyzes three pillars:
+
+| Pillar | Question | Key ECS field |
+| --- | --- | --- |
+| **Event action** | What happened? | `event.action` |
+| **Actor** | Who initiated it? | `user.*`, `source.*`, vendor principal fields |
+| **Target** | What was acted upon? | `*.target.*`, `destination.user.*`, `cloud.service.name`, vendor resource fields |
+
+If `event.action` is missing from fixtures (common — e.g. `azure_openai`), sub-agents must propose vendor-field **action candidates** rather than skipping action analysis.
+
+### Pass 3 — event graph example
+
+| Source | Purpose |
+| --- | --- |
+| `dev/domain/p1/{integration}.md` | Domain + Pass 2 context (optional) |
+| `packages/{integration}/data_stream/*/sample_event.json` | Primary example source |
+| `packages/{integration}/data_stream/*/_dev/test/pipeline/*-expected.json` | Additional representative events |
+
+Pass 3 produces **1–3 simple examples** with this entity shape:
+
+| Node | Fields |
+| --- | --- |
+| Actor / Target | `id`, `name` (optional), `type`, `sub_type` (optional), `geo` (optional), `ip` (optional) |
+| Event action | `action`; if not in `event.action`, cite `source_field` + `source_value` |
+
+**Quality gate (mandatory):** Before finishing each example, apply the **common-sense graph test** — read the one-liner aloud. If it sounds wrong or tautological (e.g. “user logs in to themselves”), fix the target before moving on. See [`event-graph-example.md`](event-graph-example.md) Step 3 and Rule 4.
+
+See [`event-graph-example.md`](event-graph-example.md) for the full template.
+
+### Pass 4 — ES|QL entity extraction
+
+| Source | Purpose |
+| --- | --- |
+| `dev/domain/p1/{integration}.md` | Pass 2 field inventory + Pass 3 target routing |
+| `packages/{integration}/manifest.yml` | `data_stream.dataset` values per stream |
+| `packages/{integration}/data_stream/*/sample_event.json` | Query-time field paths |
+| `packages/{integration}/data_stream/*/_dev/test/pipeline/*-expected.json` | Golden documents |
+| [ES\|QL EVAL](https://www.elastic.co/docs/reference/query-languages/esql/commands/eval) · [CASE](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions/case) | Syntax reference |
+
+Pass 4 produces **dataset-routed `CASE` mappings** into standard actor/target ECS columns:
+
+| Side | user | host | service | general |
+| --- | --- | --- | --- | --- |
+| **Actor** | `user.id`, `user.name`, `user.domain`, `user.email` | `host.id`, `host.ip`, `host.name` | `service.id`, `service.name`, `service.type`, `service.version` | `entity.id`, `entity.name`, `entity.type`, `entity.sub_type` |
+| **Target** | `user.target.*` | `host.target.*` | `service.target.*` | `entity.target.*` |
+
+Primary router: `data_stream.dataset == "{integration}.{stream}"`. Apply Pass 3 semantics when auth events have self-referential vendor `entity` fields.
+
+**Pass 4 rules (v2):**
+
+- **Unscoped queries** — full pipeline fragments use `FROM logs-*` with **no** `WHERE data_stream.dataset`; every `CASE` fallback branch embeds `data_stream.dataset == "…"` (or `event.dataset` for assets-only).
+- **Preserve existing** — column-level `CASE(<col> IS NOT NULL, <col>, …)`; define `actor_exists` / `target_exists` / `action_exists` as query helpers only (not first `CASE` branches on mapped columns).
+- **Boolean casts** — wrap boolean-typed fields in `TO_BOOLEAN()` in conditions (e.g. `TO_BOOLEAN(citrix.cef_format) == true`); do not compare raw fields to `true`/`false` when mapping may be `keyword`.
+- **Target namespace** — only `user.target.*`, `host.target.*`, `service.target.*`, `entity.target.*` (never `target.user.*` or `target.entity.type`).
+
+See [`esql-entity-mapping.md`](esql-entity-mapping.md) for the full template.
+
+## Scope guardrails
+
+Each sub-agent is scoped to **one integration only**: `{integration}`. Parent orchestrators must include these rules in every dispatched prompt.
+
+### Allowed reads
+
+| Source | Scope |
+| --- | --- |
+| `packages/{integration}/**` | Primary evidence — manifest, docs, data streams, pipelines, fixtures, dashboards |
+| `{output_path}` | This integration's domain doc only (`dev/domain/p1/{integration}.md`) |
+| `dev/target-fields-audit/out/*.csv` | Repo-wide audit scans — use the row for `{integration}` only |
+| ECS field reference | External Elastic docs for field semantics |
+| Web search | This **vendor product** only, when package docs are thin |
+
+### Forbidden reads
+
+- **Other integration domain docs** — do not read `dev/domain/p1/*.md` except `{output_path}`. Never use a peer doc (e.g. `suricata.md`, `snort.md`) as a template or reference.
+- **Other integration packages** under `packages/` — except `{integration}` itself and **explicit sibling comparisons** named in the target package's README (e.g. classic `packages/aws/data_stream/vpcflow/` when analyzing `aws_vpcflow_otel`). When a sibling package is allowed, cite evidence from that **package path only** — not from another integration's domain doc.
+- **Copying analysis across integrations** — do not reuse prose, table rows, or classifications from another integration's output, even when domains seem similar (network flows, IDS, OTel dashboard packages).
+
+### Why
+
+Similar integrations share entity patterns (5-tuple actors, no `user.*`, missing `event.action`) but differ in streams, vendor fields, and action semantics. Cross-reading domain docs causes template bleed and subtle factual errors.
+
+## What sub-agents read
+
+### Pass 1 — domain knowledge
+
+| Source | Purpose |
+| --- | --- |
+| `packages/{integration}/manifest.yml` | Data streams, collection inputs |
+| `packages/{integration}/docs/README.md` | Product description |
+| Web search (optional) | Fill gaps when package docs are thin |
+
+### Pass 2 — actor / target classification
+
+| Source | Purpose |
+| --- | --- |
+| `dev/domain/p1/{integration}.md` | Domain context from Pass 1 |
+| `packages/{integration}/data_stream/*/sample_event.json` | Indexed document shape |
+| `packages/{integration}/data_stream/*/_dev/test/pipeline/*-expected.json` | Pipeline golden fixtures |
+| `packages/{integration}/data_stream/*/elasticsearch/ingest_pipeline/*.yml` | Field mappings |
+| `packages/{integration}/data_stream/*/fields/fields.yml` | Vendor `{integration}.*` field tree |
+| `packages/{integration}/data_stream/*/fields/ecs.yml` | Declared ECS fields |
+| [ECS field reference](https://www.elastic.co/docs/reference/ecs/ecs-field-reference) | Official field-set semantics |
+| `dev/target-fields-audit/out/*.csv` | Prior audit scans (optional) |
+
+## Key principles (Pass 2)
+
+Pass 2 encodes lessons from integration review. Sub-agents must:
+
+1. **Inventory vendor and ECS fields separately** — `{integration}.*` often holds identity data that never maps to ECS.
+2. **Verify mapping intent** — an ECS field in a document does not prove correct actor/target semantics; trace pipeline source → ECS destination.
+3. **Check event action per stream** — verify `event.action` in fixtures; if absent, propose vendor operation fields as candidates (e.g. `azure.open_ai.operation_name`).
+4. **Use layered targets** — platform service (`cloud.service.name`) → resource (`resource.*`, model ID) → content (prompt, email body).
+5. **Check de-facto targets** — many packages store target user/host under `destination.user.*` / `destination.host.*` instead of `user.target.*` / `host.target.*`.
+6. **Separate semantic classification from ECS mapping** — classify entities as user | host | service | general first, then map to fields.
+
+See [`actor-target-classification.md`](actor-target-classification.md) for the full rule set, ECS index, and anti-patterns.
+
+## Output tiers
+
+Documents are organized by priority tier under `dev/domain/`:
+
+| Tier | Path | Status |
+| --- | --- | --- |
+| P1 | `dev/domain/p1/` | First batch — 47 integrations analyzed |
+
+Add new tiers (`p2/`, etc.) as needed; point `{output_path}` at the appropriate folder.
+
+## Relationship to target-fields-audit
+
+Domain docs complement the deterministic scans in `dev/target-fields-audit/`:
+
+| Domain docs (this workflow) | Target-fields-audit |
+| --- | --- |
+| Qualitative — product context, semantic actor/target | Quantitative — grep/pipeline scans across all packages |
+| Per-integration narrative + field evidence | CSV inventories (`target_fields_audit.csv`, `destination_identity_hits.csv`, …) |
+| Enhancement candidates with rationale | Stakeholder matrix and tier classification |
+
+Pass 2 sub-agents should cross-reference target-fields-audit CSVs when available and note alignment or gaps.
+
+## Re-running a pass
+
+| Scenario | Action |
+| --- | --- |
+| New integration | Run Pass 1, then Pass 2 |
+| Pass 1 doc exists, need actor/target | Run Pass 2 only (appends section) |
+| Improved Pass 2 prompt | Delete `## Expected Audit Log Entities` section from the doc, re-run Pass 2 |
+| Pass 2 adds event action section | Re-run Pass 2 only (v3 prompt adds `### Event action` subsections) |
+| Pass 3 graph only | Delete `## Example Event Graph` section, re-run Pass 3 |
+| Pass 3 quality sweep | Re-run Pass 3 with **review/fix** mode — keep Pass 1/2; apply common-sense graph test to each example (see `event-graph-example.md` Step 3) |
+| Pass 4 ES\|QL only | Delete `## ES\|QL Entity Extraction` section, re-run Pass 4 |
+| Full refresh | Delete the doc, re-run all passes |
+
+## Example orchestrator command
+
+From a parent agent, for one integration:
+
+```
+Task (generalPurpose):
+  Use prompt from dev/domain/prompts/domain-knowledge.md
+  integration=aws_bedrock
+  output_path=dev/domain/p1/aws_bedrock.md
+  repo_root=/Users/peledkfir/Documents/elastic/integrations
+```
+
+Then, after Pass 1 completes:
+
+```
+Task (generalPurpose):
+  Use prompt from dev/domain/prompts/actor-target-classification.md
+  integration=aws_bedrock
+  output_path=dev/domain/p1/aws_bedrock.md
+  repo_root=/Users/peledkfir/Documents/elastic/integrations
+```
+
+Then, after Pass 2 completes:
+
+```
+Task (generalPurpose):
+  Use prompt from dev/domain/prompts/event-graph-example.md
+  integration=citrix_waf
+  output_path=dev/domain/p1/citrix_waf.md
+  repo_root=/Users/peledkfir/Documents/elastic/integrations
+```
+
+Then, after Pass 3 completes:
+
+```
+Task (generalPurpose):
+  Use prompt from dev/domain/prompts/esql-entity-mapping.md
+  integration=slack
+  output_path=dev/domain/p1/slack.md
+  repo_root=/Users/peledkfir/Documents/elastic/integrations
+```
diff --git a/dev/domain/prompts/actor-target-classification.md b/dev/domain/prompts/actor-target-classification.md
new file mode 100644
index 00000000000..3f6a5ae0dcf
--- /dev/null
+++ b/dev/domain/prompts/actor-target-classification.md
@@ -0,0 +1,403 @@
+# Sub-agent prompt: Actor and target classification
+
+Use this prompt when dispatching a sub-agent to append audit-log entity analysis to an existing domain document.
+
+## Variables
+
+| Variable | Description | Example |
+| --- | --- | --- |
+| `{integration}` | Package name under `packages/` | `wiz` |
+| `{output_path}` | Path to the existing domain markdown file | `dev/domain/p1/wiz.md` |
+| `{repo_root}` | Absolute path to the integrations repo | `/Users/.../integrations` |
+
+## Scope guardrails
+
+Each sub-agent analyzes **`{integration}` only**. Do not broaden scope to "similar" integrations.
+
+**Allowed reads:**
+
+- `packages/{integration}/**`
+- `{output_path}` (this integration's domain doc — the only file under `dev/domain/p1/` you may read)
+- `dev/target-fields-audit/out/*.csv` (row for `{integration}` only)
+- ECS field reference (external)
+- Sibling packages **only when** the target package README explicitly references them for comparison (e.g. `packages/aws/data_stream/vpcflow/` for `aws_vpcflow_otel`) — cite sibling **package** paths, not peer domain docs
+
+**Forbidden:**
+
+- Any other `dev/domain/p1/*.md` file — do not read or copy from peer domain docs (e.g. `suricata.md` when working on `aws_vpcflow_otel`)
+- Any other `packages/*/` directory unless named in the target package README as a comparison source
+- Reusing prose, tables, or classifications from another integration's analysis
+
+Ground every claim in `{integration}` package evidence. Similar domains (network flows, IDS, OTel dashboards) still require independent analysis per integration.
+
+## Package capability (mandatory check)
+
+Read [package-capability.md](package-capability.md) before Step 1.
+
+| Package type | Evidence allowed | Fixture claims |
+| --- | --- | --- |
+| **Agent-backed** | Tier A (fixtures, pipelines) + Tier B (dashboards if present) | yes |
+| **Assets-only** | Tier B (dashboard ES\|QL, filter literals) + Tier C (external templates) only | **no** — mark `unverifiable in package` for pipeline/mapping |
+| **Assets-with-sibling** | Tier B + sibling `packages/…/data_stream/` fixtures **only when README names sibling** | sibling fixtures cited with path; not this package's fixtures |
+
+If **assets-only**: do not write Pass 2 as if `sample_event.json` exists. Add an intro sentence under **Expected Audit Log Entities** stating evidence tier. In ECS candidates tables, use **Evidence tier** column (`A` / `B` / `C`) instead of implying fixture proof.
+
+## ECS reference index
+
+Use ECS docs for **field semantics and intended meaning** — not as proof that this integration maps them correctly.
+
+| Resource | URL |
+| --- | --- |
+| **ECS field reference** (index — start here) | [elastic.co/docs/reference/ecs/ecs-field-reference](https://www.elastic.co/docs/reference/ecs/ecs-field-reference) |
+| Generated field CSV (all fields, single file) | [github.com/elastic/ecs/blob/main/generated/csv/fields.csv](https://github.com/elastic/ecs/blob/main/generated/csv/fields.csv) |
+| User | [ecs-user](https://www.elastic.co/docs/reference/ecs/ecs-user) |
+| Host | [ecs-host](https://www.elastic.co/docs/reference/ecs/ecs-host) |
+| Service | [ecs-service](https://www.elastic.co/docs/reference/ecs/ecs-service) |
+| Cloud | [ecs-cloud](https://www.elastic.co/docs/reference/ecs/ecs-cloud) |
+| Entity | [ecs-entity](https://www.elastic.co/docs/reference/ecs/ecs-entity) |
+| Entity Reference | [ecs-entity_reference](https://www.elastic.co/docs/reference/ecs/ecs-entity_reference) |
+| Client / Source / Destination | [ecs-client](https://www.elastic.co/docs/reference/ecs/ecs-client) · [ecs-source](https://www.elastic.co/docs/reference/ecs/ecs-source) · [ecs-destination](https://www.elastic.co/docs/reference/ecs/ecs-destination) |
+| Event | [ecs-event](https://www.elastic.co/docs/reference/ecs/ecs-event) |
+| Related | [ecs-related](https://www.elastic.co/docs/reference/ecs/ecs-related) |
+| Gen AI | [ecs-gen_ai](https://www.elastic.co/docs/reference/ecs/ecs-gen_ai) |
+
+When a field's purpose is unclear, look up its field set in the index above (ECS 9.4.0). Prefer Elastic Docs MCP (`search_docs`) or `get_document_by_url` for specific field definitions.
+
+## Key principles
+
+### Vendor namespace vs ECS
+
+Each integration defines **custom fields** under `{integration}.*` (e.g. `wiz.audit.*`, `aws_bedrock.invocation.*`). These often hold the richest actor/target identity from the vendor API. Many are **not mapped to ECS** — they remain vendor-namespaced even after ingest.
+
+Always inventory **both**:
+- **ECS fields** present in `sample_event.json` / pipeline output (`user.*`, `host.*`, `*.target.*`, …)
+- **Vendor fields** under `{integration}.*` in `fields/fields.yml` and pipeline output
+
+Do not assume that because ECS defines a field, this integration populates it correctly — or at all.
+
+### Verify mapping intent (do not take ECS for granted)
+
+An ECS field appearing in a document does **not** mean the mapping is semantically correct. For every ECS field cited as actor or target evidence, cross-check:
+
+1. **Pipeline source** — Which vendor field was renamed/copied/set into the ECS field? Read the ingest pipeline step.
+2. **Semantic fit** — Does the source field actually represent an actor or target per ECS field-set definitions (see index above)?
+3. **Fixture proof** — Do `sample_event.json` and `*-expected.json` show the ECS field populated with the expected entity type?
+4. **Known mis-mappings** — Flag cases where ECS fields conflate actor and target (e.g. `user.email` parsed from "For user …" text describing the affected user, not the admin actor), or where only `related.user` is populated but not `user.*`.
+
+Record mapping quality in the ECS candidates tables using **Mapping correct?** (`yes` | `partial` | `no` | `n/a`) with a one-line rationale when not `yes`.
+
+### Destination identity as de-facto target
+
+Many integrations map the **target user or host** to `destination.user.*` or `destination.host.*` / `destination.hostname` — **not** to the official ECS target entity fields (`user.target.*`, `host.target.*`).
+
+This is a common real-world pattern even though [ECS Destination](https://www.elastic.co/docs/reference/ecs/ecs-destination) primarily describes the destination side of a **network connection**. Integrations often reuse it for audit semantics:
+
+| Field | Typical audit meaning (when used as target) | Example integrations |
+| --- | --- | --- |
+| `destination.user.name` / `.email` / `.id` | User acted upon — recipient, local account, login target | `checkpoint_email`, `fortinet_fortigate`, `o365`, `ping_federate` |
+| `destination.host.*` / `destination.hostname` | Host/system acted upon — session target, remote endpoint | `beyondtrust_pra`, `claroty_ctd` |
+| `destination.ip` / `destination.domain` | May be network peer **or** target service endpoint — context-dependent | firewalls, proxies, IDS |
+
+**Do not ignore these fields** because `*.target.*` is empty. Treat them as **de-facto target candidates** and assess:
+
+1. **Target vs network context** — Is `destination.user.email` the mail recipient (target) or just the far-end of a flow? Read pipeline source + event type.
+2. **Official ECS target gap** — If semantically a target but stored under `destination.*`, mark **Enhancement candidate?** yes for `user.target.*` / `host.target.*` migration.
+3. **Mapping correct?** — `destination.user.*` populated from vendor "dstuser" / "recipient" → likely intentional de-facto target. Populated from pure flow 5-tuple → network context only (`partial` or `n/a` for audit target).
+
+**Pass 4 ES|QL note:** De-facto `destination.user.*` / `destination.host.*` map to **`user.target.*` / `host.target.*`** in query-time enrichment — never to `target.user.*` (invalid namespace).
+
+Repo-wide evidence: `dev/target-fields-audit/out/destination_identity_hits.csv` (~29 packages use `destination.user` in pipelines). Check if `{integration}` appears there.
+
+### Event action (`event.action`)
+
+Actor and target answer **who** and **what**; `event.action` answers **what happened** — the verb or operation performed. Per [ECS Event](https://www.elastic.co/docs/reference/ecs/ecs-event), `event.action` records the action taken (e.g. `login`, `InvokeModel`, `user-created`).
+
+**Do not assume integrations populate `event.action`.** Many packages leave it empty even when vendor logs contain a clear operation name elsewhere.
+
+For each audit-like or audit-adjacent stream, check fixtures first:
+
+1. **Is `event.action` populated?** — Search `sample_event.json`, `*-expected.json`, and pipeline `set`/`rename` to `event.action`.
+2. **If yes** — Trace pipeline source; assess **Mapping correct?** (same rigor as actor/target).
+3. **If no** — Propose **action candidates**: vendor or ECS fields that *should* map to `event.action`, with confidence and per-stream notes.
+
+Common candidate sources (integration-dependent):
+
+| Candidate source | Examples |
+| --- | --- |
+| Vendor operation / action field | `azure.open_ai.operation_name`, `aws_bedrock.invocation.operation`, `wiz.audit.action` |
+| HTTP method + path | `http.request.method` + `url.path` (when the API call *is* the action) |
+| Admin / audit event type | `event.type`, vendor `action`, `event_type`, `operationName` |
+| Cloud audit API name | CloudTrail `eventName`, GCP audit `methodName`, Azure `operationName` |
+| Normalized `event.category` + vendor detail | e.g. category `authentication` + vendor login action |
+
+Rules for action candidates:
+
+- Prefer **vendor-native operation names** already in fixtures over inferred labels.
+- Distinguish **API operation** (InvokeModel, ListKey) from **security event** (login, policy-update) — both are valid `event.action` values depending on stream.
+- Metrics streams (`event.kind: metric`) typically have **no per-event action** — say so explicitly.
+- If multiple candidate fields exist per stream, list all with a recommended primary mapping.
+- Mark **Enhancement candidate?** yes when a vendor field clearly names the action but is not copied to `event.action`.
+
+Example gap: `azure_openai` — fixtures have `azure.open_ai.operation_name` (`ListKey`, `ChatCompletions_Create`) but **no** `event.action` in samples or pipeline.
+
+## Prompt template
+
+```
+Update {repo_root}/{output_path} by APPENDING a new section (do not remove existing content).
+
+Task: For the Elastic integration "{integration}", analyze what actor and target entities appear in audit and audit-adjacent logs, and what **event action** (`event.action`) is recorded or should be recorded. Produce semantic classifications (user | host | service | general) and ECS field mapping candidates grounded in package evidence.
+
+---
+
+## Step 1 — Read sources (mandatory)
+
+Scope: **{integration} only**. Do not read other `dev/domain/p1/*.md` files or other `packages/*/` directories except as allowed in Scope guardrails above.
+
+**First:** classify package type per [package-capability.md](package-capability.md).
+
+1. {repo_root}/{output_path} — existing domain doc from the domain-knowledge pass (this file only)
+2. packages/{integration}/ — manifest.yml, docs/README.md
+3. **If agent-backed:** packages/{integration}/data_stream/*/sample_event.json, *-expected.json, ingest pipelines, fields.yml
+4. **If assets-only:** packages/{integration}/kibana/dashboard/*.json, kibana/search/*.json, _dev/shared/kibana/*.yaml — extract field names and filter literals from ES|QL only; **do not** treat dashboard JSON as event fixtures
+5. If present: dev/target-fields-audit/out/*.csv — row for this package
+6. ECS field reference — https://www.elastic.co/docs/reference/ecs/ecs-field-reference
+7. Sibling package paths **only if** README explicitly references them (assets-with-sibling)
+8. Web / external vendor templates only when in-repo evidence is Tier B/C
+
+---
+
+## Step 2 — Field inventory (mandatory before writing)
+
+Scan pipelines, fields.yml, sample_event.json, and test fixtures. Record every hit with the source file that proves it.
+
+### ECS field families
+
+| Family | Fields to look for |
+| --- | --- |
+| Actor identity | `user.*`, `client.user.*`, `source.ip`, `source.address` |
+| Host identity | `host.*`, `device.*`, `source.ip` (when endpoint) |
+| Service identity | `service.name`, `service.id`, `service.type`, `cloud.service.name` |
+| Cloud resource | `cloud.provider`, `cloud.account.id`, `cloud.region`, `resource.id`, `resource.name`, `resource.type` |
+| ECS target fields | `user.target.*`, `host.target.*`, `service.target.*`, `entity.target.*` |
+| Destination identity (de-facto target) | `destination.user.*`, `destination.host.*`, `destination.hostname` — often used **instead of** `*.target.*` |
+| Network endpoints (context vs target) | `source.*`, `destination.ip`, `destination.domain`, `destination.port` — verify whether peer or audit target |
+| Related / enrichment | `related.user`, `related.hosts`, `related.ip`, `gen_ai.*` |
+| Event action | `event.action`, `event.type`, `event.category`, `event.outcome`; vendor operation/action/event_type fields |
+
+### Vendor namespace (`{integration}.*`)
+
+| Family | Fields to look for |
+| --- | --- |
+| All vendor fields | `{integration}.*` in fields.yml — full tree per data stream |
+| Actor / principal | vendor paths for user, caller, principal, issuer, admin, identity, session |
+| Target / object | vendor paths containing `target`, `resource`, `entity`, `object`, `affected`, `destination` |
+| Action / operation | vendor paths for action, operation, event_type, activity, api_method, eventName, methodName |
+| Unmapped identity | vendor fields that *should* map to ECS but do not (pipeline keeps them vendor-only) |
+
+For each field found (ECS or vendor), answer before classifying:
+- **Actor or target?** — Who initiated the action vs what was acted upon. Do not list cloud scope or invoked-service fields under Actor unless they identify the caller.
+- **Mapped today?** — ECS field populated in fixtures (yes/no). Vendor-only counts as no ECS mapping.
+- **Mapping correct?** — If mapped to ECS: does the pipeline source field semantically match the ECS field's intended meaning? (yes/partial/no/n/a)
+- **ECS target bucket** — If target: which bucket would it map to (`user.target.*`, `host.target.*`, `service.target.*`, `entity.target.*`, or context-only)?
+- **De-facto target?** — If under `destination.user.*` / `destination.host.*`: is this the audit target (yes/no/context-only)? Should it migrate to `*.target.*`?
+- **Event action?** — Does this field name the operation performed? Could it map to `event.action`?
+
+---
+
+## Step 2b — Event action check (mandatory)
+
+For **each data stream**, answer:
+
+| Stream | `event.action` in fixtures? | Pipeline maps to `event.action`? | Primary action candidate | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+
+- Search all `sample_event.json` and `*-expected.json` for `"event.action"` or `"action"` under `event`.
+- Grep ingest pipelines for `event.action` (set, rename, copy_from).
+- When `event.action` is **absent**, propose the best vendor field(s) to populate it — cite fixture values (e.g. `operation_name: ListKey`).
+- When `event.action` is **present**, trace source and assess mapping quality.
+- Metrics / inventory streams: note "no per-event action" if applicable.
+
+---
+
+## Step 3 — Append this section format
+
+## Expected Audit Log Entities
+
+Brief intro covering:
+- Which streams are true audit logs vs audit-adjacent (findings, metrics, network telemetry, inventory sync)
+- Whether the integration has audit logs at all
+- Whether existing ECS `*.target.*` fields are populated (check target-fields-audit if available)
+- Whether `event.action` is populated per stream, or which vendor fields are action candidates
+
+### Event action (semantic)
+
+What operation or activity does each stream record?
+
+| Action (normalized label) | Classification | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- |
+
+- Use vendor fixture values where possible (e.g. `ListKey`, `ChatCompletions_Create`, `login`)
+- Classification describes action *type* if useful: authentication, administration, api_call, data_access, configuration_change, detection, etc.
+- If the stream has no meaningful per-event action (metrics, inventory sync), say so in prose
+
+### Event action (ECS candidates)
+
+| ECS / vendor field | Mapped to `event.action` today? | Mapping correct? | Recommended `event.action` value (from fixtures) | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- |
+
+- When `event.action` is **missing** from fixtures, this table is the primary output — list vendor candidates and suggested mapping
+- Prefer single vendor field per stream as primary candidate; note alternates if ambiguous
+- Include pipeline line reference when pipeline maps (or fails to map) the candidate
+
+### Actor (semantic)
+
+For each distinct actor pattern:
+
+| Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- |
+
+- **Classification** must be one of: `user`, `host`, `service`, `general`
+- If no actor exists for a stream, say so in prose — do not use "none" or "cloud" as a classification value
+- Distinguish security principals from homonyms: chat message role "user", DHCP client (→ host), service account (→ user or service depending on context)
+
+### Actor (ECS candidates)
+
+| ECS / vendor field | Role | Mapped today? | Mapping correct? | Confidence | Evidence |
+| --- | --- | --- | --- | --- | --- |
+
+List fields that identify or enrich the actor. Include `{integration}.*` vendor fields — especially those **not** mapped to ECS. When an ECS field is cited, trace it back to the pipeline source and assess whether the mapping is intentional and correct.
+
+### Target (semantic)
+
+Targets are often layered — document all applicable layers, not just the most granular:
+
+| Layer | Description | Entity | Classification | Entity type (if general) | Confidence | Evidence | Per-stream notes |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+| 1 — Platform / cloud service | The cloud API or SaaS product invoked | e.g. Amazon Bedrock, Azure OpenAI | service | — | | | |
+| 2 — Resource / object | The specific resource acted upon | e.g. foundation model, user account, VM | varies | | | | |
+| 3 — Content / artifact | Payload, message, file, or request instance | e.g. prompt, email, invocation ID | general | ai_content, api_request, … | | | |
+
+- Not every integration has all three layers — omit rows that do not apply
+- Layer 1 is commonly missed; always check whether `cloud.service.name` or equivalent identifies the invoked platform service
+
+### Target (ECS candidates)
+
+| ECS / vendor field | Layer | Classification | Mapped today? | Mapping correct? | ECS target bucket | Enhancement candidate? | Evidence |
+| --- | --- | --- | --- | --- | --- | --- | --- |
+
+Rules for this table:
+- If the pipeline sets `cloud.service.name`, always evaluate it as a Layer 1 target service candidate
+- If the pipeline sets `destination.user.*` or `destination.host.*`, evaluate as a **de-facto target** candidate — cite whether it represents the acted-upon user/host vs network/session context
+- Distinguish **context fields** (`cloud.service.name`, `cloud.account.id`, flow `destination.ip`) from **explicit target fields** (`service.target.entity.id`, de-facto `destination.user.*`)
+- Mark **Enhancement candidate?** yes when a vendor, `destination.*`, or context field semantically represents a target but is not in `*.target.*` today
+- Include all relevant `{integration}.*` paths — mapped or not
+- When **Mapping correct?** is `partial` or `no`, explain in Gaps and mapping notes below
+
+### Gaps and mapping notes
+
+Short bullet list covering:
+- Vendor `{integration}.*` fields that represent actor/target but lack ECS mapping (best source of truth for enhancement)
+- `destination.user.*` / `destination.host.*` used as de-facto targets — note intended entity and whether `*.target.*` migration applies
+- ECS fields populated but semantically wrong or ambiguous (cite pipeline step + why)
+- Fields where actor and target identity are conflated in the same ECS field
+- Alignment or tension with target-fields-audit classification for this package (if CSV row exists)
+- **`event.action` gaps** — vendor operation fields present but not mapped; recommended primary candidate per stream
+
+Optional: ### Per-stream notes — short subsections for streams with distinct semantics (include action semantics where relevant).
+
+---
+
+## Classification rules
+
+1. **Semantic vs ECS are separate steps.** First decide what the entity is; then identify which ECS/vendor field represents it.
+2. **Vendor namespace first for truth.** `{integration}.*` fields often contain the canonical vendor actor/target identity. ECS fields are the *normalized view* — verify they reflect that identity correctly.
+3. **Do not take ECS for granted.** Presence of an ECS field ≠ correct mapping. Always trace pipeline source → ECS destination and compare against ECS field-set definitions in the reference index.
+4. **Check de-facto targets under `destination.*`.** Many integrations store target user/host identity in `destination.user.*` or `destination.host.*` rather than `user.target.*` / `host.target.*`. Inventory these explicitly; do not report "no target user field" when `destination.user.email` is populated.
+5. **Actor vs target.** Caller/principal/session → actor. Object/resource/content acted upon → target. Cloud tenancy (`cloud.account.id`, `cloud.region`) is scope context, not an actor. The invoked cloud service (`cloud.service.name`) is typically a **target**, not an actor. Flow `destination.ip` may be network peer or target endpoint — verify per event type.
+6. **Allowed classifications:** `user`, `host`, `service`, `general` only. Use prose for "no actor/target" cases.
+7. **Use `general` sparingly** — prefer user/host/service when they fit with high probability; always specify entity type when general.
+8. **Target layering for cloud/SaaS/API integrations.** Expect Layer 1 (platform service) + Layer 2 (resource) at minimum. Example: Bedrock invocation → Layer 1: `cloud.service.name: bedrock`; Layer 2: `gen_ai.request.model.id`.
+9. **Ground claims in fixtures.** Cite sample_event.json, *-expected.json, and pipeline YAML. Do not speculate beyond what evidence supports.
+10. **Metrics streams.** Dimensions (model ID, guardrail ARN) are aggregation targets, not per-request audit targets. Note absence of caller identity.
+11. **Inventory / entity-analytics packages.** These sync asset state, not audit events. State explicitly that actor/target audit semantics do not apply; describe inventory subject fields instead under ECS candidates if useful.
+12. **Event action is mandatory.** Always check `event.action` in fixtures and pipelines per stream. Absence is a gap — propose vendor-field candidates rather than leaving action undocumented.
+13. **Action vs actor vs target.** `event.action` is the verb (what happened). Actor is who did it. Target is what it was done to. Do not substitute `event.type` or `event.category` for `event.action` without noting the distinction.
+
+---
+
+## Cloud / SaaS integration addendum
+
+Apply when the package sets `cloud.provider`, `cloud.service.name`, `azure.*`, `aws.*`, or `gcp.*`:
+
+- **Invoked service** (what API was called) → usually Layer 1 target → check `cloud.service.name`, `event.action`, `service.name`
+- **Resource within service** (model, bucket, function, policy) → Layer 2 → check `resource.*`, vendor IDs, ARNs
+- **Caller principal** (who called the API) → actor → check `user.id`, `identity.arn`, `client.user.*`, assumed-role ARNs
+- Do not collapse these into a single target row
+
+---
+
+## Anti-patterns (do not do)
+
+- Do not put `cloud.service.name` under Actor unless it identifies the caller
+- Do not use "cloud", "account", or "none" as a classification value
+- Do not conflate chat/LLM message role "user" with IAM/security principal "user"
+- Do not treat Elastic Agent / collector credentials as the event actor
+- Do not list only the most granular target and skip the platform service layer
+- Do not ignore statically-set pipeline fields (e.g. `set: cloud.service.name: bedrock`) in favor of dynamic fields only
+- Do not cite an ECS field as evidence without checking the pipeline step that produced it
+- Do not ignore `{integration}.*` vendor fields just because ECS fields exist — the vendor namespace is often more complete or more accurate
+- Do not assume `{integration}.*` fields are mapped to ECS — most packages retain significant vendor-only identity data
+- Do not report missing target user/host fields without first checking `destination.user.*` and `destination.host.*`
+- Do not treat all `destination.*` fields as network peers — in audit/email/auth events they often hold the acted-upon entity
+- Do not assume `event.action` is populated — verify fixtures; if missing, document action candidates
+- Do not omit action analysis for streams that have vendor `operation`, `action`, or `event_type` fields
+- Do not read other integrations' domain docs or packages to "find a similar example" — analyze `{integration}` evidence only
+- Do not claim fixture proof for **assets-only** packages — dashboard filter literals are not sample events
+- Do not invent `data_stream.dataset` values from manifest when package has no `policy_templates`
+
+---
+
+Return the file path when done.
+```
+
+## Example invocation
+
+Integration: `azure_openai`  
+Output: `dev/domain/p1/azure_openai.md`
+
+Expected highlights in output:
+- **Event action:** `event.action` absent in all fixtures; candidates `azure.open_ai.operation_name` (`ListKey`, `ChatCompletions_Create`) and `properties.operation_id` — enhancement candidate
+- Actor: Entra object ID on Audit; API client IP on GatewayLogs → `source.ip`
+- Target Layer 1: Cognitive Services / APIM → `azure.resource.provider`; no `cloud.service.name`
+- Target Layer 2: model deployment → `properties.model_deployment_name`
+
+Integration: `aws_bedrock`  
+Output: `dev/domain/p1/aws_bedrock.md`
+
+Expected highlights:
+- **Event action:** `event.action` ← `aws_bedrock.invocation.operation` (`InvokeModel`, `Converse`) on invocation stream
+- Actor: IAM user / assumed-role → `user.id` ← `identity.arn`
+- Target Layer 1: `cloud.service.name: bedrock`
+
+## Notes for orchestrator
+
+- **Append only** — never overwrite the Product Domain section from the first pass.
+- Sub-agents should read **all** data streams, not just streams named "audit".
+- **Assets-only** packages (e.g. `corelight`, `aws_vpcflow_otel`): follow [package-capability.md](package-capability.md); Tier B evidence only; never cite dashboard JSON as `sample_event.json`.
+- One sub-agent per integration keeps context focused and token use low.
+- Sub-agents do not see the full conversation — include all paths, the integration name, and [Scope guardrails](#scope-guardrails) in the prompt.
+- Do not suggest peer domain docs as references — e.g. do not tell the `aws_vpcflow_otel` agent to read `suricata.md`.
+
+## Related artifacts
+
+| Artifact | Use |
+| --- | --- |
+| [ECS field reference](https://www.elastic.co/docs/reference/ecs/ecs-field-reference) | Official field-set definitions and semantics (ECS 9.4.0) |
+| `packages/{integration}/data_stream/*/fields/fields.yml` | Vendor `{integration}.*` field tree |
+| `packages/{integration}/data_stream/*/fields/ecs.yml` | ECS fields declared for this data stream |
+| `dev/target-fields-audit/VENDOR_TARGET_ANALYSIS_PLAN.md` | Actor vs target triage workflow and ECS bucket selection |
+| `dev/target-fields-audit/out/target_enhancement_packages.csv` | Prior actor/target heuristic per package |
+| `dev/target-fields-audit/out/target_fields_audit.csv` | Already-mapped ECS `*.target.*` fields |
+| `dev/target-fields-audit/out/vendor_target_special_cases.csv` | Vendor `*target*` field paths |
+| `dev/target-fields-audit/out/destination_identity_hits.csv` | Packages using `destination.user` / `destination.host` in pipelines |
+| `dev/target-fields-audit/out/destination_identity_review.md` | Review checklist for destination-as-target vs network context |
diff --git a/dev/domain/prompts/domain-knowledge.md b/dev/domain/prompts/domain-knowledge.md
new file mode 100644
index 00000000000..69691d287e7
--- /dev/null
+++ b/dev/domain/prompts/domain-knowledge.md
@@ -0,0 +1,82 @@
+# Sub-agent prompt: Domain knowledge
+
+Use this prompt when dispatching a sub-agent to create the initial product domain document for an Elastic integration.
+
+## Variables
+
+| Variable | Description | Example |
+| --- | --- | --- |
+| `{integration}` | Package name under `packages/` | `wiz` |
+| `{output_path}` | Path to the markdown file to create | `dev/domain/p1/wiz.md` |
+| `{repo_root}` | Absolute path to the integrations repo | `/Users/.../integrations` |
+
+## Scope guardrails
+
+Each sub-agent analyzes **`{integration}` only**.
+
+**Allowed reads:** `packages/{integration}/**`, web search for this vendor product when package docs are thin.
+
+**Forbidden:** other `dev/domain/p1/*.md` files, other `packages/*/` directories, copying prose from another integration's domain doc.
+
+## Package capability (mandatory check)
+
+Read [package-capability.md](package-capability.md). Before writing **Data Collected**:
+
+1. Check whether `packages/{integration}/data_stream/` exists and `manifest.yml` has `policy_templates`.
+2. If **no** — this is **assets-only** (dashboards/content). Do not list Elastic Agent data streams.
+
+## Prompt template
+
+```
+Create a markdown file describing the product domain for the Elastic integration "{integration}".
+
+Steps:
+1. Read packages/{integration}/ only — manifest.yml, docs/README.md, and any other relevant markdown at {repo_root}/packages/{integration}/. Do not read other integrations' domain docs or packages.
+2. Optionally use web search to understand the vendor product domain if package docs are thin.
+3. Write file: {repo_root}/{output_path}
+
+Format:
+
+# {integration}
+
+## Product Domain
+
+Write 2–4 paragraphs covering:
+- What the vendor product is and its primary domain/category (e.g. CNAPP, NGFW, IAM, MDM)
+- Key capabilities and typical deployment context
+- How security / platform / IT teams use it
+- How the Elastic integration fits (high level)
+
+## Package capability
+
+One line: **agent-backed** | **assets-only** | **assets-with-sibling** (see package-capability.md).
+
+## Data Collected (brief)
+
+**If agent-backed** (`policy_templates` + `data_stream/` present):
+- List each data stream from manifest with a one-line description
+- Note collection method (API, syslog, S3, Event Hub, etc.)
+
+**If assets-only** (no `data_stream/`, no `policy_templates`):
+- State explicitly: **This package provides Kibana assets only — no Elastic Agent data streams or ingest pipelines in-repo.**
+- List bundled dashboards / saved searches and expected customer index patterns (e.g. `logs-corelight-*`, `data_stream.dataset` / `event.dataset` values from dashboard ES|QL if documented)
+- Describe how data reaches Elasticsearch per package README (external export, OTel, etc.)
+- Do **not** invent `data_stream.*` entries that are not defined in this package's manifest
+
+Rules:
+- Keep it factual and concise
+- Ground descriptions in package docs; use web search only to fill gaps
+- Do not invent data streams that are not in the package
+- Return the file path when done
+```
+
+## Example invocation
+
+Integration: `qualys_vmdr`  
+Output: `dev/domain/p1/qualys_vmdr.md`
+
+## Notes
+
+- One sub-agent per integration keeps context focused and token use low.
+- Sub-agents do not see the full conversation — include all paths, the integration name, and [Scope guardrails](#scope-guardrails) in the prompt.
+- This pass creates the file from scratch; the actor/target pass appends to it later.
diff --git a/dev/domain/prompts/esql-entity-mapping.md b/dev/domain/prompts/esql-entity-mapping.md
new file mode 100644
index 00000000000..ce2a63f52b6
--- /dev/null
+++ b/dev/domain/prompts/esql-entity-mapping.md
@@ -0,0 +1,436 @@
+# Sub-agent prompt: ES|QL entity extraction mapping
+
+Use this prompt when dispatching a sub-agent to append **ES|QL `EVAL` / `CASE` mappings** that normalize actor and target identity fields across an integration's data streams.
+
+Pass 2 inventories which fields exist and what they mean. Pass 3 shows coherent Actor → action → Target examples. **Pass 4 turns that into query-time extraction** so a single ES|QL pipeline can populate standard ECS entity columns from heterogeneous integration documents.
+
+## Variables
+
+| Variable | Description | Example |
+| --- | --- | --- |
+| `{integration}` | Package name under `packages/` | `slack` |
+| `{output_path}` | Path to the existing domain markdown file | `dev/domain/p1/slack.md` |
+| `{repo_root}` | Absolute path to the integrations repo | `/Users/.../integrations` |
+
+## Scope guardrails
+
+Each sub-agent analyzes **`{integration}` only**.
+
+**Allowed reads:** `packages/{integration}/**`, `{output_path}` (only this file under `dev/domain/p1/`), sibling packages only when named in the target package README.
+
+**Forbidden:** other `dev/domain/p1/*.md` files, other `packages/*/` directories (unless README allows), copying ESQL from peer integrations.
+
+Ground every source field in `{integration}` fixtures, pipelines, or Pass 2/3 evidence for this integration.
+
+## Package capability (mandatory check)
+
+Read [package-capability.md](package-capability.md) before Step 1.
+
+| Package type | Pass 4 behavior |
+| --- | --- |
+| **Agent-backed** | Full section: `data_stream.dataset` from manifest + Tier A fixture fields |
+| **Assets-only** | Router on `event.dataset` / index pattern per **dashboard ES|QL** (Tier B); intro states **no package fixtures**; confidence capped at medium/low; optional reduced section |
+| **Assets-with-sibling** | May cite sibling package fixture field paths when README allows; label **sibling evidence** |
+
+**Assets-only:** do not claim `data_stream.dataset` values from this integration's manifest. Do not present `CASE` mappings as package-verified when only dashboard field references exist.
+
+## ES|QL reference
+
+| Resource | URL |
+| --- | --- |
+| **EVAL command** | [elastic.co/docs/reference/query-languages/esql/commands/eval](https://www.elastic.co/docs/reference/query-languages/esql/commands/eval) |
+| **CASE function** | [elastic.co/docs/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions/case](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions/case) |
+| **ECS field reference** | [elastic.co/docs/reference/ecs/ecs-field-reference](https://www.elastic.co/docs/reference/ecs/ecs-field-reference) |
+
+Syntax reminders:
+
+- `EVAL` appends or replaces columns: `| EVAL col = expression`
+- `CASE(condition1, value1, condition2, value2, …, elseValue)` — **pairs** of boolean **condition** + return value; first true condition wins ([CASE docs](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions/case))
+- **Odd** argument count → last argument is **default** (`elseValue`) when no condition matches
+- **Even** argument count → no default; result is `null` when nothing matches
+- **Simple if/else (3 args):** `CASE(user.name IS NOT NULL, user.name, user.full_name)` — preserve `user.name`, else `user.full_name`
+- **Wrong (4 args):** `CASE(user.name IS NOT NULL, user.name, user.full_name, null)` — parses as two pairs: `(user.full_name)` is a **condition**, `null` is its value, **not** “else default null”
+- **Preserve + one fallback (5 args):** `CASE(user.id IS NOT NULL, user.id, dataset == “x”, vendor.id, null)` — condition, value, condition, value, else
+- Combine conditions with `AND` / `OR`: `data_stream.dataset == “slack.audit” AND event.action == “user_login”`
+- Use `IS NOT NULL` / `!= null` when guarding empty vendor fields
+- Quote string literals: `”slack.audit”`, `”user_login”`
+- **Type safety:** `host.id`, `user.id`, `entity.id`, and similar identity columns are `keyword`. Assigning an `ip`-typed field (e.g. `source.ip`, `destination.ip`) requires `TO_STRING()`: `TO_STRING(source.ip)`. Assigning a numeric field requires `TO_STRING()` as well. `mac`, `domain`, and most vendor string fields are already `keyword` and need no conversion.
+- **Boolean conditions:** Fields documented or intended as `boolean` may be indexed as `keyword` (runtime mapping, ingest quirks). **Always wrap boolean fields in `TO_BOOLEAN()`** in `CASE` conditions — e.g. `TO_BOOLEAN(citrix.cef_format) == true`, `TO_BOOLEAN(servicenow.event.applied.value) == true`, `(field IS NULL OR TO_BOOLEAN(field) == false)` — never compare the raw field to `true`/`false` literals. This stays correct if the mapping is fixed later.
+- **Field names starting with a digit:** Any field whose name (or any dot-separated segment) starts with a digit is not a legal bare identifier in ES|QL. Wrap the **entire** dotted path in backticks: `` `cisco_meraki.8021x_eap_success.vap` ``. Check vendor field trees for such names before writing CASE expressions.
+
+## Array and multi-value field constraints (mandatory)
+
+ES|QL **flattens arrays of objects** at index time. Each sub-field becomes an independent multi-value field; the positional relationship between sibling fields within the same array element is **lost and the order of values is not guaranteed**.
+
+### What is NOT supported in ES|QL
+
+| Pattern | Why it fails | What to do instead |
+| --- | --- | --- |
+| `field[0]` / `field[1]` | Array index syntax is not valid ES|QL | Use `MV_FIRST(field)` only when ordering doesn't matter (e.g. a field that is always single-valued in practice); otherwise document as **ingest-only** |
+| `field[].subfield` | Array-of-objects sub-field notation is not valid | Use `field.subfield` — ES|QL already sees it as a multi-value field after flattening |
+| `MV_FILTER(fieldA, fieldB == “value”)` | `MV_FILTER` takes a single field + a **string/regex literal**, not a cross-field boolean condition | Cannot correlate sibling fields from the same array element at query time → **ingest-only** |
+| `MV_FIRST(MV_FILTER(fieldA, fieldB == “x”))` | Same as above — the inner `MV_FILTER` call is invalid | **ingest-only** |
+
+### Decision rule
+
+For each vendor field that comes from an array of objects, make one of two calls:
+
+1. **Use the full multi-value field** — when ALL values are semantically equivalent for the output column (e.g. every IP in a multi-value `source.ip` field is a valid actor IP). Use the field directly; `MV_FIRST()` is acceptable only when the field is practically always single-valued.
+
+2. **Document as ingest-only** — when only a SPECIFIC element is relevant (e.g. the participant whose `role == “offender”`) and using all values would be misleading or incorrect. Write a note in **Gaps and limitations**: `{field} — cannot extract specific element at query time; array-of-objects requires ingest-time pipeline handling.`
+
+Do **not** emit `MV_FILTER` with a cross-field condition or `field[n]` indexing. Both are invalid and will cause the query to fail.
+
+## Output ECS columns (mandatory set)
+
+Produce **`EVAL` expressions that populate these destination columns** when applicable. Omit columns with no defensible source for this integration — do not emit empty `CASE()` branches for unsupported fields.
+
+### Actor columns (by semantic classification)
+
+| Classification | Destination columns |
+| --- | --- |
+| **user** | `user.id`, `user.name`, `user.domain`, `user.email` |
+| **host** | `host.id`, `host.ip`, `host.name` |
+| **service** | `service.id`, `service.name`, `service.type`, `service.version` |
+| **general** (none of the above) | `entity.id`, `entity.name`, `entity.type`, `entity.sub_type` |
+
+### Target columns (by semantic classification)
+
+Target identity lives under the **entity’s `.target.*` namespace** — the target field set is a suffix on the entity type, not a `target.` prefix.
+
+| Classification | Destination columns (correct) |
+| --- | --- |
+| **user** | `user.target.id`, `user.target.name`, `user.target.domain`, `user.target.email` |
+| **host** | `host.target.id`, `host.target.ip`, `host.target.name` |
+| **service** | `service.target.id`, `service.target.name`, `service.target.type`, `service.target.version` |
+| **general** | `entity.target.id`, `entity.target.name`, `entity.target.type`, `entity.target.sub_type` |
+
+**Forbidden target column names (never emit):**
+
+| Wrong | Correct |
+| --- | --- |
+| `target.user.*`, `target.host.*`, `target.service.*`, `target.entity.*` | `user.target.*`, `host.target.*`, `service.target.*`, `entity.target.*` |
+| `target.entity.type` (helper misnamed as ECS) | `entity.target.type` if classifying target; or omit |
+| `actor.entity.type` as actor output | `entity.type` / `entity.sub_type` for actor-side general only |
+
+**Naming note:** Many integrations index `user.full_name` instead of `user.name`. The **output column is always `user.name`** (and `user.target.name` for targets); the `CASE` source may be `user.full_name`, a vendor name field, or a literal. Document the source in the mapping table.
+
+**Domain note:** When `user.domain` / `user.target.domain` is not indexed, derive from email when possible (document the expression or mark **gap — not extractable**).
+
+## Routing key
+
+Primary router: **`data_stream.dataset`**
+
+- Elastic integrations use `{package}.{stream}` (e.g. `slack.audit`, `wiz.audit`, `aws_bedrock.invocation`).
+- Prefer **exact dataset equality** per stream: `data_stream.dataset == "slack.audit"`.
+- Use `STARTS_WITH(data_stream.dataset, "{integration}.")` only when one mapping applies to all streams of this package and fixtures confirm shared field layout.
+- List every dataset covered in `manifest.yml` / Pass 1 **Data Collected**; mark streams with no actor/target extraction (metrics, inventory sync).
+
+Secondary routers (when one dataset has mixed entity types):
+
+- Vendor discriminators: e.g. `slack.audit.entity.entity_type`, `event.action`, `event.category`
+- Pass 3 event-graph semantics (e.g. login → service target, not self-referential `entity`)
+- Pass 2 per-stream notes
+
+## Mapping principles
+
+1. **Do not override existing values (mandatory).** Pass 4 is **fill-gaps-only** enrichment. If the document already has actor, target, or action identity, **keep it**. Only apply heuristic / vendor / integration-specific extraction when detection flags are false.
+2. **Detection flags first.** Emit a single upfront `| EVAL` that sets booleans `actor_exists`, `target_exists`, `action_exists`. Mapped columns use valid `CASE` arity (see Syntax reminders): e.g. `CASE(col IS NOT NULL, col, vendor_field)` (3 args) or `CASE(col IS NOT NULL, col, dataset == "…", vendor_field, null)` (5 args) — not `CASE(flag, col, vendor_field, null)` (4 args — vendor field becomes a condition).
+3. **Vendor fallback when empty.** When ECS fields are empty but vendor fields hold identity (e.g. `slack.audit.entity.id` for target user), use the vendor path only in the **fallback** branch — never replace a non-null existing value.
+4. **De-facto targets.** When Pass 2 documents `destination.user.*` / `destination.host.*` as target identity, map to `user.target.*` / `host.target.*` in the **fallback** branch only.
+5. **Do not conflate actor and target.** Actor columns come from principal/caller fields; target columns from entity/resource/object fields. When vendor `entity` mirrors `actor` on auth events (Slack login), **do not** map entity to `user.target.*` — use Pass 3 target semantics (often `service.target.*` or a literal) in fallback only.
+6. **Classification-first when mixed.** For datasets with multiple target types (user vs file vs service), nest `CASE` with discriminators in the **fallback** branch — do not add misnamed columns like `target.entity.type`.
+7. **Fixture-grounded sources only.** Every non-literal fallback source field must appear in fixtures or Pass 2 evidence.
+8. **Literals for semantic targets.** Use string literals only in fallback branches when Pass 3 marks **semantic — not indexed**.
+9. **No per-event graph → no extraction block.** Metrics, inventory, entity-analytics sync streams: document under **Streams excluded** instead of forcing `CASE`.
+10. **No tautological CASE (mandatory).** A fallback branch must use a **different** field than the output column. Forbidden patterns:
+    - `CASE(actor_exists, user.id, user.id, null)` — when `user.id` is empty, reading `user.id` again does nothing.
+    - `CASE(actor_exists, user.id, data_stream.dataset == "…", user.id, null)` — same column in preserve and fallback.
+    - `CASE(flag, col, condition, col, null)` for any `col` — identity no-op.
+    **When ingest always populates a column** and the vendor source is renamed away at index time (no query-time vendor path), **omit that column from the actor/target `EVAL` block** and note **ingest-only — no ES|QL** in the mapping table. Only emit `CASE` when a real alternate source exists (vendor field, different ECS field like `user.full_name` → `user.name`, or literal).
+    **Column-level preserve for renames:** When output is `user.name` but identity lives in `user.full_name`, use **3-arg** `CASE(user.name IS NOT NULL, user.name, user.full_name)` or **5-arg** with a boolean middle condition — never 4-arg with a bare field as the 3rd argument (ES|QL treats it as a condition, not a value). Do not use `CASE(actor_exists, user.name, …)` if `actor_exists` can be true from `user.full_name` while `user.name` is still empty.
+
+## Prompt template
+
+```
+Update {repo_root}/{output_path}:
+
+1. KEEP all existing sections unchanged.
+2. REMOVE any existing `## ES|QL Entity Extraction` section (if present).
+3. APPEND a new `## ES|QL Entity Extraction` section as specified below.
+
+Task: For integration "{integration}", produce ES|QL `EVAL` / `CASE` mappings that populate standard actor and target ECS columns from indexed fields, routed primarily by `data_stream.dataset`.
+
+---
+
+## Step 1 — Read sources
+
+Scope: **{integration} only**.
+
+1. {repo_root}/{output_path} — Pass 2 (`Expected Audit Log Entities`) and Pass 3 (`Example Event Graph`)
+2. packages/{integration}/manifest.yml — data stream names → expected `data_stream.dataset` values
+3. packages/{integration}/data_stream/*/sample_event.json and *-expected.json — field paths that exist at query time
+4. packages/{integration}/data_stream/*/elasticsearch/ingest_pipeline/*.yml — when vendor → ECS rename is unclear
+5. packages/{integration}/data_stream/*/fields/fields.yml — vendor field tree
+
+Build a dataset inventory before writing ES|QL.
+
+**Assets-only:** if no `data_stream/` in package, inventory uses `event.dataset` (or index pattern) from dashboard ES|QL — mark **Tier B — not verified by package fixture**.
+
+---
+
+## Step 2 — Append this section format
+
+## ES|QL Entity Extraction
+
+One intro paragraph: package type (agent-backed vs assets-only), which dataset router applies (`data_stream.dataset` vs `event.dataset`), streams covered, and streams excluded.
+
+**Assets-only intro must include:** "Field paths inferred from bundled dashboard ES|QL only; this package defines no ingest pipelines or test fixtures in-repo."
+
+### Dataset inventory
+
+| data_stream.dataset | Stream role | Actor classification(s) | Target classification(s) | Extraction |
+| --- | --- | --- | --- | --- |
+| `{integration}.…` | audit / network / … | user, host, … | user, service, … | full / partial / none |
+
+### Field mapping plan
+
+Per **actor** and **target**, a row for each destination column you will populate:
+
+#### Actor mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.id` | e.g. `user.id` | `data_stream.dataset == "…"` | high | pass-through / vendor fallback |
+| `user.name` | e.g. `user.full_name` | … | … | … |
+| … | … | … | … | … |
+
+#### Target mappings
+
+| Output column | Source field(s) | Condition (dataset + optional) | Confidence | Notes |
+| --- | --- | --- | --- | --- |
+| `user.target.id` | … | … | … | … |
+| `service.target.name` | … | … | … | semantic literal on login |
+| … | … | … | … | … |
+
+Rules for this table:
+- **Condition** column uses ES|QL boolean expressions (not prose)
+- **Confidence**: high (fixture + pipeline), medium (pipeline only), low (heuristic / Pass 3 semantic)
+- Mark **preserve existing**, **vendor fallback**, **semantic literal**, **de-facto destination.***
+
+### Detection flags (mandatory — run first)
+
+One fenced `esql` block **before** actor/target/action mappings. These are **query-time helpers**, not ECS fields:
+
+```esql
+| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL
+```
+
+Tune `actor_exists` / `target_exists` if this integration only uses a subset (e.g. network-only: drop `user.*` from `actor_exists`). Document the chosen predicate in the mapping plan.
+
+**Semantics:** When `actor_exists` is true, output actor columns must equal their **current** values (no overwrite). When false, apply integration heuristic. Same for `target_exists` / `action_exists`.
+
+### Optional classification helpers (when needed)
+
+Only when fallback branches need type discrimination. Use **correct ECS names**:
+
+- Actor-side general: `entity.type`, `entity.sub_type` (not `actor.entity.type`)
+- Target-side general: `entity.target.type`, `entity.target.sub_type` (not `target.entity.type`)
+
+Set these in the **fallback** branch only, e.g. `entity.target.type = CASE(entity.target.type IS NOT NULL, entity.target.type, data_stream.dataset == "…" AND …, "domain", null)`.
+
+Skip when stream-level routing in `CASE` is enough.
+
+### Combined ES|QL — actor fields
+
+Second fenced `esql` block. **Every assignment** uses column-level preserve-first `CASE`:
+
+```esql
+| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "{integration}.audit" AND slack.actor.user.id IS NOT NULL, slack.actor.user.id,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "{integration}.audit" AND user.full_name IS NOT NULL, user.full_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "{integration}.log" AND source.ip IS NOT NULL, source.ip,
+    null
+  )
+```
+
+Pattern: `CASE(<col> IS NOT NULL, <col>, data_stream.dataset == "…" AND <source> IS NOT NULL, <source>, null)` (5 args) or `CASE(<col> IS NOT NULL, <col>, <fallback>)` (3 args, when only one possible source).
+
+**Never** `CASE(actor_exists, col, ...)` — `actor_exists` can be true from a different field while `col` is still null, silently skipping the fallback.
+
+Only include columns with a defensible fallback for at least one dataset. Order: user → host → service → entity actor fields.
+
+### Combined ES|QL — event action
+
+Third fenced `esql` block (when this integration has action candidates):
+
+```esql
+| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "{integration}.audit" AND slack.action IS NOT NULL, slack.action,
+    data_stream.dataset == "{integration}.logs" AND azure.open_ai.operation_name IS NOT NULL, azure.open_ai.operation_name,
+    null
+  )
+```
+
+Omit entire block when no action fallback exists (document in Gaps).
+
+### Combined ES|QL — target fields
+
+Fourth fenced `esql` block. Target columns use **`user.target.*` / `host.target.*` / `service.target.*` / `entity.target.*` only**:
+
+```esql
+| EVAL
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "{integration}.audit" AND slack.audit.entity.entity_type == "user" AND event.action != "user_login" AND slack.audit.entity.id IS NOT NULL, slack.audit.entity.id,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "{integration}.audit" AND event.action == "user_login", "Slack",
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "{integration}.log" AND destination.ip IS NOT NULL, destination.ip,
+    null
+  )
+```
+
+Pattern: `CASE(<col> IS NOT NULL, <col>, <dataset-and-conditions>, <source>, null)` (5 args) or `CASE(<col> IS NOT NULL, <col>, <literal>)` (3 args for semantic literals with no ambiguity).
+
+**Never** `CASE(target_exists, col, fallback, null)` — that is a 4-arg CASE where `fallback` parses as a boolean condition and `null` is its return value, not the default.
+
+Never write `target.user.id` — always `user.target.id`.
+
+### Full pipeline fragment (optional)
+
+A copy-pasteable minimal query — **unscoped** `FROM logs-*` (no `WHERE data_stream.dataset` filter). Dataset routing lives **inside every CASE fallback branch**:
+
+```esql
+FROM logs-*
+| EVAL
+  actor_exists = …,
+  target_exists = …,
+  action_exists = event.action IS NOT NULL
+| EVAL
+  user.name = CASE(user.name IS NOT NULL, user.name, data_stream.dataset == "{integration}.audit" AND user.full_name IS NOT NULL, user.full_name, null),
+  user.target.id = CASE(user.target.id IS NOT NULL, user.target.id, data_stream.dataset == "{integration}.audit" AND slack.audit.entity.id IS NOT NULL AND …, slack.audit.entity.id, null),
+  event.action = CASE(event.action IS NOT NULL, event.action, data_stream.dataset == "{integration}.audit" AND slack.action IS NOT NULL, slack.action, null)
+| KEEP @timestamp, data_stream.dataset, event.action, user.id, user.name, user.target.id, service.target.name
+```
+
+**Do not** use `| WHERE data_stream.dataset IN (…)` in the fragment — customers run cross-package queries; each fallback must embed its dataset guard.
+
+### Streams excluded
+
+Bullet list of datasets where **no** actor/target `EVAL` is produced (metrics, inventory, engine stats), with one-line reason.
+
+### Gaps and limitations
+
+- Destination columns intentionally omitted (no indexed source)
+- Fields that need ingest-time enrichment before ES|QL can map them
+- Ambiguous cases where `CASE` would guess wrong — prefer omission + note over false positives
+- Alignment with Pass 2 **Enhancement candidate?** rows
+
+---
+
+## Step 3 — Validate mappings (mandatory)
+
+Before returning, check each populated output column:
+
+| Test | Action |
+| --- | --- |
+| Source field exists in fixtures for the cited dataset | Remove or downgrade if not |
+| Actor source is principal/caller, not target object | Swap or split conditions |
+| Target maps self on auth login (tautology) | Apply Pass 3 semantics — service/platform target |
+| Same vendor field used for actor and target on one event | Add `event.action` or entity_type guard |
+| Literal string used | Mark **semantic literal** in mapping table |
+| ES|QL syntax | `CASE(cond, val, …)`, string equality with `==`, string literals double-quoted |
+| Boolean conditions | Wrap boolean fields in `TO_BOOLEAN(field)` before `== true` / `== false`; never compare raw keyword booleans |
+| Target namespace | No `target.user.*` — only `user.target.*` (and host/service/entity equivalents) |
+| Preserve-first | Every mapped column uses `CASE(col IS NOT NULL, col, …)` as the first two args (column-level preserve) |
+| No tautology | Fallback ≠ output column; omit ingest-only columns with no alternate source |
+| Ingest-only | If pipeline always sets the field, do not emit `CASE(col, col, …)` |
+
+---
+
+## Rules
+
+1. **Preserve existing values** — `CASE(user.id IS NOT NULL, user.id, …)` (column-level preserve), never blind assignment and never `CASE(actor_exists, user.id, …)` (flag-level — silently skips fallback when flag is true from a different field while this column is still null).
+2. **Detection flags block** — `actor_exists`, `target_exists`, `action_exists` defined before mapping `EVAL`s.
+3. **Correct target namespaces** — `user.target.*`, `host.target.*`, `service.target.*`, `entity.target.*` only; **never** `target.user.*` or `target.entity.type`.
+4. **Dataset-first routing** — fallback branches start with `data_stream.dataset` (or `event.dataset` for assets-only).
+5. **Mandatory column sets** — use the actor/target tables above; do not invent alternate ECS names.
+6. **Separate EVAL blocks** — detection flags, then actor, then action (if any), then target (minimum four subsections when action applies).
+7. **Mapping plan before code** — tables must precede ES|QL blocks; note **preserve existing** vs **fallback** per row.
+8. **No cross-integration CASE branches** — this file covers `{integration}` datasets only.
+9. **Prefer omission over guessing** — if confidence is low, leave column out and document in Gaps.
+10. **Assets-only** — follow [package-capability.md](package-capability.md); Tier B dashboard evidence only.
+11. **No tautological CASE** — omit columns from `EVAL` when ingest-only; fallback must reference a different field path.
+
+---
+
+Return the file path when done.
+```
+
+## Example invocation
+
+Integration: `slack`  
+Output: `dev/domain/p1/slack.md`
+
+Expected highlights:
+
+- Dataset: `slack.audit` only
+- Detection flags → preserve-first `CASE` on all columns
+- Actor fallback: `user.id` ← `user.id` or vendor; `user.name` ← `user.full_name` when `NOT actor_exists`
+- Target fallback: `service.target.name = "Slack"` when login and `NOT target_exists`; `user.target.id` ← `slack.audit.entity.id` when `entity_type == "user"` and not login
+- Action: `event.action` ← `slack.action` when `NOT action_exists`
+- Never `target.user.*`; never overwrite populated `user.*` / `user.target.*`
+
+Integration: `linux`  
+Expected: **Streams excluded** — metrics-only; no actor/target EVAL
+
+Integration: `fortinet_fortigate`  
+Expected: actor `user.name` / `source.ip`; target `destination.user.name` → `user.target.name` (de-facto); network flows → `host.target.ip`
+
+## Notes for orchestrator
+
+- Run **after Pass 2** (required) and **Pass 3** (strongly recommended — target routing on auth events).
+- **Replace** `## ES|QL Entity Extraction` on re-run; do not duplicate.
+- One sub-agent per integration.
+- Include [Scope guardrails](#scope-guardrails) in every prompt.
+- Pass 4 output is **query-time normalization** — it does not modify ingest pipelines or packages.
+- For orchestrator batches: same parallel pattern as Pass 2–3 (8–10 at a time).
+
+## Relationship to other passes
+
+| Pass | Prompt | Output |
+| --- | --- | --- |
+| 1 | `domain-knowledge.md` | Product domain + data streams |
+| 2 | `actor-target-classification.md` | Field inventory + ECS candidates |
+| 3 | `event-graph-example.md` | Readable Actor → action → Target examples |
+| 4 | `esql-entity-mapping.md` | ES|QL `EVAL`/`CASE` actor + target extraction |
+
+Pass 4 must **not contradict** Pass 2 mapping quality flags or Pass 3 target semantics. When Pass 2 marks **Mapping correct?** = `no`, do not wire that field into ES|QL without a guard or note in Gaps.
diff --git a/dev/domain/prompts/event-graph-example.md b/dev/domain/prompts/event-graph-example.md
new file mode 100644
index 00000000000..3891d4c47fc
--- /dev/null
+++ b/dev/domain/prompts/event-graph-example.md
@@ -0,0 +1,299 @@
+# Sub-agent prompt: Event graph example
+
+Use this prompt when dispatching a sub-agent to append a **simple, readable** Actor → event.action → Target example to an existing domain document.
+
+Pass 2 (`actor-target-classification.md`) is exhaustive. This pass (Pass 3) produces a **short illustrative graph** grounded in real fixture data so readers can quickly understand how a typical event flows.
+
+**Every example must pass Step 3 (common-sense graph test)** — read the one-liner aloud before finishing.
+
+## Variables
+
+| Variable | Description | Example |
+| --- | --- | --- |
+| `{integration}` | Package name under `packages/` | `citrix_waf` |
+| `{output_path}` | Path to the existing domain markdown file | `dev/domain/p1/citrix_waf.md` |
+| `{repo_root}` | Absolute path to the integrations repo | `/Users/.../integrations` |
+
+## Scope guardrails
+
+Each sub-agent analyzes **`{integration}` only**.
+
+**Allowed reads:** `packages/{integration}/**`, `{output_path}` (only this file under `dev/domain/p1/`), sibling packages only when named in the target package README.
+
+**Forbidden:** other `dev/domain/p1/*.md` files, other `packages/*/` directories (unless README allows), copying examples or field values from another integration's fixtures or domain doc.
+
+Every graph example must cite a fixture under `packages/{integration}/` **unless** the package is **assets-only** — see [package-capability.md](package-capability.md).
+
+## Package capability (mandatory check)
+
+**Before Step 1**, detect package type:
+
+| Type | Pass 3 output |
+| --- | --- |
+| **Agent-backed** | Full **Example Event Graph** (1–3 examples) — values from `sample_event.json` / `*-expected.json` only |
+| **Assets-only** | **Illustrative patterns only** — alternate section format below; **no** fabricated entity values |
+| **Metrics / inventory only** | Intro + "no per-event graph" (existing rule 9) |
+
+**Assets-only integrations** (e.g. `corelight`) have **no** `data_stream/`, **no** `sample_event.json`, and **no** ingest pipelines in this repo. Dashboard JSON is **not** a fixture.
+
+## Entity schema
+
+Each **Actor** and **Target** node uses this shape. Omit optional fields when not available in fixtures — do not invent values.
+
+| Field | Required | Description | Typical ECS / vendor sources |
+| --- | --- | --- | --- |
+| `id` | preferred | Stable identifier | `user.id`, `host.id`, `resource.id`, ARN, session ID, request ID |
+| `name` | optional | Human-readable label | `user.name`, `host.name`, `url.domain`, model name, email |
+| `type` | preferred | Entity class | `user`, `host`, `service`, or `general` |
+| `sub_type` | optional | Narrower category | e.g. `assumed_role`, `service_account`, `waf_profile`, `foundation_model`, `email_recipient` |
+| `geo` | optional | Location string | Compose from `*.geo.city_name`, `country_name`, or `location.lat/lon` — one readable line |
+| `ip` | optional | Network address | `source.ip`, `destination.ip`, `host.ip`, `client.ip` (only when it identifies the entity) |
+
+**Event action** node:
+
+| Field | Required | Description |
+| --- | --- | --- |
+| `action` | yes | The verb — what happened (e.g. `blocked`, `login`, `InvokeModel`, `ListKey`) |
+| `source_field` | if `event.action` absent | ECS or vendor field used to derive the action (e.g. `azure.open_ai.operation_name`) |
+| `source_value` | if `event.action` absent | Example value from a fixture |
+
+When `event.action` **is** populated in the fixture, set `source_field` to `event.action` and copy the fixture value.
+
+## Prompt template
+
+```
+Update {repo_root}/{output_path}:
+
+1. KEEP all existing sections unchanged (`## Product Domain`, `## Data Collected`, `## Expected Audit Log Entities`, …).
+2. REMOVE any existing `## Example Event Graph` section (if present).
+3. APPEND a new `## Example Event Graph` section as specified below.
+
+Task: For integration "{integration}", produce 1–3 simple **Actor → event.action → Target** examples grounded in real sample/fixture data. This is a summary for human readers — not an exhaustive field audit (Pass 2 already covers that). **Complete Step 3 for each example before moving on.**
+
+---
+
+## Step 1 — Read sources
+
+Scope: **{integration} only**. Do not read other `dev/domain/p1/*.md` files or other `packages/*/` directories.
+
+1. {repo_root}/{output_path} — domain doc + Pass 2 analysis (this file only)
+2. Classify package per [package-capability.md](package-capability.md)
+3. **Agent-backed:** `packages/{integration}/data_stream/*/sample_event.json` and `*-expected.json`
+4. **Assets-only:** `packages/{integration}/kibana/dashboard/*.json` (and search assets) — field names and filter literals from embedded ES|QL only
+
+**Agent-backed:** pick events that tell a clear story; use **actual field values** from fixtures only.
+
+**Assets-only:** do **not** produce Example 1/2/3 with Actor/Target value tables. Use **Step 2b** format instead.
+
+---
+
+## Step 2 — Append section format (agent-backed)
+
+Use this when `packages/{integration}/data_stream/` exists and package fixtures are available.
+
+## Example Event Graph
+
+One short intro sentence: which stream(s) the examples come from and whether they are true audit logs or audit-adjacent.
+
+For each example (1–3), use this structure:
+
+### Example {n}: {short title}
+
+**Stream:** `{dataset}` · **Evidence:** `{path to sample_event.json or *-expected.json}` (Tier A)
+
+```
+Actor → event.action → Target
+```
+
+#### Actor
+
+| Field | Value |
+| --- | --- |
+| id | … |
+| name | … (omit row if unavailable) |
+| type | user \| host \| service \| general |
+| sub_type | … (omit row if unavailable) |
+| geo | … (omit row if unavailable) |
+| ip | … (omit row if unavailable) |
+
+**Field sources:** bullet list mapping each populated value to its ECS/vendor field (e.g. `id ← source.ip`, `geo ← source.geo.city_name, source.geo.country_name`)
+
+#### Event action
+
+| Field | Value |
+| --- | --- |
+| action | … |
+| source_field | `event.action` or vendor/ECS field path |
+| source_value | exact value from fixture |
+
+If `event.action` is missing in the fixture, set `action` to the best derived label from `source_field` / `source_value` and note that it is **not mapped to ECS today**.
+
+#### Target
+
+| Field | Value |
+| --- | --- |
+| id | … |
+| name | … (omit row if unavailable) |
+| type | user \| host \| service \| general |
+| sub_type | … (omit row if unavailable) |
+| geo | … (omit row if unavailable) |
+| ip | … (omit row if unavailable) |
+
+**Field sources:** same as Actor
+
+#### Mermaid (optional)
+
+When the example is clear, add a one-line mermaid flowchart:
+
+```mermaid
+flowchart LR
+  A["Actor: {label}"] --> E["{action}"]
+  E --> T["Target: {label}"]
+```
+
+---
+
+## Step 3 — Validate each example (mandatory)
+
+Before writing the next example, **read the one-liner aloud** as a plain sentence:
+
+> “{Actor} did {action} to {target}.”
+
+| If you hear… | Fix |
+| --- | --- |
+| Same entity on both sides (“user logs in to themselves”) | Re-evaluate target — login/auth usually means accessing a **service/platform**, not the user account again |
+| A populated vendor field that duplicates the actor (`entity` = `actor` on auth events) | Do not copy `entity` blindly; ask what was actually accessed |
+| Scope metadata presented as target (tenant ID, workspace name, tracking ID) | Move to **Scope context** under field sources; pick the primary acted-upon object |
+| Collector/syslog IP as actor on application events | Actor is the HTTP/client principal, not the forwarding host |
+| Forced graph on metrics/inventory/sync streams | State “no per-event graph” instead of inventing actor/target |
+
+Then confirm Actor, Target, and Event action **tables and mermaid match the one-liner**.
+
+Typical coherent readings (not exhaustive):
+
+- **login / user_login / access_allowed** → user → **service/system** (e.g. Slack, Prisma Cloud, application client)
+- **create user / invite** → admin → **different user**
+- **download / upload / delete** → user → **file or resource**
+- **API call / InvokeModel** → principal → **model, bucket, or API resource**
+- **block / deny / quarantine** → client or policy engine → **URL, message, or flow peer**
+
+When the service name is not indexed (`cloud.service.name` absent), use a **semantic target** and mark **semantic — not indexed in fixture** in field sources (Rule 7).
+
+---
+
+## Step 2b — Append section format (assets-only)
+
+Use when package has **no** `data_stream/` and **no** `sample_event.json` (dashboards/content integrations).
+
+## Example Event Graph (illustrative — no package fixtures)
+
+Intro **must** state:
+
+- **Package type: assets-only** — no Elastic Agent data streams or package test fixtures in-repo
+- Data is ingested **outside** this package (per README); bundled dashboards query customer indices
+- Patterns below are **field/schema illustrations** from dashboard ES|QL — **not** single indexed documents
+- Do **not** use the label `Fixture:` for dashboard JSON files
+
+For each pattern (1–3 max), use:
+
+### Pattern {n}: {short title}
+
+**Log type:** `{event.dataset}` or index pattern from dashboard ES|QL · **Evidence:** `packages/{integration}/kibana/dashboard/{file}.json` (Tier B)
+
+```
+Actor (field paths only) → action (field/literal) → Target (field paths only)
+```
+
+Example one-liner (no invented IPs or names):
+
+```
+host (source.ip) → SSL::Certificate_Expired (notice.note filter literal) → tls service (destination.ip, network.protocol)
+```
+
+#### Actor (schema)
+
+| Field | Source in indexed data (not a sample value) |
+| --- | --- |
+| type | host — from `source.ip` in dashboard ES|QL |
+
+Do **not** populate id, name, ip, geo rows unless a **literal** appears in the dashboard asset (e.g. filter value `SSL::Certificate_Expired`). Never invent endpoint IPs.
+
+#### Event action (schema)
+
+| Field | Source |
+| --- | --- |
+| action | derived label from dashboard filter or field |
+| source_field | e.g. `notice.note`, `dns.response_code` |
+| source_value | literal from dashboard JSON only, or "—" |
+
+#### Target (schema)
+
+Same pattern — field paths and filter literals only.
+
+**No mermaid** with fake host labels unless literals exist in dashboard JSON.
+
+**Forbidden for assets-only:** full Actor/Target tables that look like one real event; citing dashboard as `Fixture:`; inventing `data_stream.dataset` from this package's manifest.
+
+---
+
+## Rules
+
+1. **Simplicity over completeness.** One primary actor, one primary action, one primary target per example. Do not list every candidate from Pass 2.
+2. **Fixture-grounded values.** Cite a fixture for every id, ip, email, and hostname. Do not invent identifiers. Semantic service/product names are allowed when Rule 7 applies.
+3. **Correct actor vs target.** The HTTP client blocking a request is the actor; the protected URL/application is the target. Syslog sender / collector IP is not the actor unless the event is about the collector.
+4. **Common-sense graph test (mandatory).** Complete Step 3 for every example before returning. Populated vendor fields are not proof of a good graph — if the one-liner sounds wrong aloud, fix it.
+5. **Action from evidence.** Prefer `event.action` when present. Otherwise derive from the strongest vendor operation field (`operation_name`, `citrix.name`, `wiz.audit.action`, etc.) and document `source_field`.
+6. **Optional fields.** Omit table rows (not empty placeholders) when the fixture has no value. Do not copy unrelated geo (e.g. ADC syslog sender geo when actor is HTTP client).
+7. **Semantic targets when unindexed.** Product/service names (e.g. "Slack", "Salesforce") may be valid targets when the action clearly accesses that platform but no ECS field holds the name (`cloud.service.name` absent). Mark such values **semantic — not indexed in fixture** and cite supporting context fields; do not invent IDs, IPs, or emails.
+8. **Multiple examples when streams differ.** e.g. audit stream vs API telemetry vs network log — use separate examples rather than merging semantics.
+9. **Metrics / inventory streams.** If no meaningful Actor → action → Target chain exists, state that in intro prose and skip forced examples (or show one note: "no per-event graph — time-bucketed metrics only").
+10. **Single-integration scope.** Do not borrow examples, field values, or narrative from other integrations' domain docs or packages.
+11. **Assets-only packages.** Use Step 2b only; Tier B evidence; never pretend a dashboard panel is a sample event.
+
+---
+
+Return the file path when done.
+```
+
+## Example invocation
+
+Integration: `citrix_waf`  
+Output: `dev/domain/p1/citrix_waf.md`
+
+Expected output sketch:
+
+```
+Actor (host, ip=175.16.199.1, geo=Changchun, CN)
+  → not blocked
+  → Target (service, name=vpx247.example.net/FFC/login_post.html, sub_type=protected_web_app)
+```
+
+Fixture: `packages/citrix_waf/data_stream/log/sample_event.json`  
+Action source: `event.action` ← CEF `act`
+
+Integration: `azure_openai`  
+Expected: action derived from `azure.open_ai.operation_name: ListKey` (no `event.action` in fixture)
+
+Integration: `slack`  
+Anti-pattern: `Charlie Parker → user_login → Charlie Parker` — tautological; vendor `entity` mirrors `actor` on login.  
+Fixed: `Charlie Parker → user_login → Slack (service)` — semantic target; Birdland enterprise noted as scope context only.
+
+## Notes for orchestrator
+
+- Run **after Pass 1** (domain knowledge). Pass 2 is helpful context but not required — sub-agents can read samples directly.
+- **Replace** `## Example Event Graph` on re-run; do not duplicate.
+- One sub-agent per integration.
+- This pass exists because Pass 2 reports are hard to scan — optimize for clarity, not coverage.
+- Include [Scope guardrails](#scope-guardrails) in every prompt — do not reference peer domain docs as templates.
+- **Always include Step 3 (validate)** in dispatched prompts — creation and quality-sweep runs use the same gate.
+- For **quality sweeps** across many integrations: dispatch review/fix tasks (do not regenerate Pass 1/2); apply Step 3 to each existing example; change only examples that fail the read-aloud test.
+
+## Relationship to other passes
+
+| Pass | Prompt | Output |
+| --- | --- | --- |
+| 1 | `domain-knowledge.md` | Product domain + data streams |
+| 2 | `actor-target-classification.md` | Exhaustive actor / action / target + ECS candidates |
+| 3 | `event-graph-example.md` | 1–3 simple Actor → action → Target examples |
+
+Pass 3 should **not contradict** Pass 2. If Pass 2 flagged ambiguous mapping, reflect the best interpretation in the graph and note uncertainty in one line under **Field sources**.
diff --git a/dev/domain/prompts/package-capability.md b/dev/domain/prompts/package-capability.md
new file mode 100644
index 00000000000..15307efede8
--- /dev/null
+++ b/dev/domain/prompts/package-capability.md
@@ -0,0 +1,47 @@
+# Package capability — detection and evidence tiers
+
+Use this checklist **before Pass 2–4** (and document in Pass 1) so sub-agents do not treat dashboards-only integrations like agent-backed packages.
+
+## How to detect package type
+
+Run this check under `packages/{integration}/`:
+
+| Signal | Agent-backed | Assets-only (dashboards / content) |
+| --- | --- | --- |
+| `manifest.yml` has `policy_templates:` | yes | **no** |
+| `data_stream/` directory exists | yes | **no** |
+| `data_stream/*/sample_event.json` | usually yes | **no** |
+| `data_stream/*/_dev/test/pipeline/*-expected.json` | usually yes | **no** |
+| `kibana/dashboard/` or `kibana/search/` only | optional | **yes** (primary deliverable) |
+| Collection described in README | Elastic Agent / API / syslog | External export (Corelight → ES, OTel collector, etc.) |
+
+**Assets-only examples in this repo:** `corelight`, `aws_vpcflow_otel`, `aws_cloudtrail_otel` (and similar content integrations).
+
+**Assets-with-sibling:** dashboards-only package whose README explicitly references another package for ingest semantics (e.g. classic `packages/aws/data_stream/vpcflow/` for `aws_vpcflow_otel`). Sibling package paths may be read for field layout only — never sibling domain docs.
+
+## Evidence tiers (use in Pass 2–4)
+
+| Tier | Source | What you may claim |
+| --- | --- | --- |
+| **A — Package fixture** | `sample_event.json`, `*-expected.json`, ingest pipeline in package | Field populated, mapping correct, Pass 3 example values (id, ip, email, …) |
+| **B — Dashboard / search asset** | `kibana/dashboard/*.json`, `kibana/search/*.json`, `_dev/shared/kibana/*.yaml` | Field **names** and filter **literals** used in ES\|QL; aggregate patterns — **not** a single indexed document |
+| **C — External** | Vendor GitHub templates, product docs, web | Schema intent only; mark **unverifiable in repo** |
+
+**Never label Tier B or C sources as `Fixture:`** in Pass 3. Use **`Evidence:`** with path and tier.
+
+## Pass-specific rules
+
+| Pass | Agent-backed | Assets-only |
+| --- | --- | --- |
+| **1** | List data streams from manifest | State **Package type: assets-only**; list dashboards / expected index patterns (`logs-corelight-*`, `aws.vpcflow.otel`, …); no Agent data streams |
+| **2** | Fixture + pipeline evidence | Tier B/C only; `Mapping correct?` often **unverifiable**; no fixture proof claims |
+| **3** | 1–3 fixture-grounded examples | **Illustrative patterns only** (see `event-graph-example.md`) — no fabricated entity values |
+| **4** | `data_stream.dataset` router from manifest | Router on `event.dataset` / index pattern per dashboard ES\|QL; note fields not verified by package fixtures |
+
+## Anti-patterns (assets-only)
+
+- Calling a dashboard JSON file a **fixture** or **sample event**
+- Filling Actor/Target tables with **invented** id, name, ip, geo when dashboards only show field names
+- Claiming **`data_stream.dataset`** values from this integration's manifest when the package defines none
+- Building Pass 3 examples that read like **one real audit event** when only filter literals exist in dashboards
+- Pass 4 `CASE` branches presented as package-verified when only dashboard ES\|QL references exist
diff --git a/dev/target-fields-audit/CHECKPOINT4.md b/dev/target-fields-audit/CHECKPOINT4.md
new file mode 100644
index 00000000000..80c095eee97
--- /dev/null
+++ b/dev/target-fields-audit/CHECKPOINT4.md
@@ -0,0 +1,29 @@
+# Checkpoint 4 — Full scan sign-off
+
+## Artifacts
+
+| File | Description |
+|------|-------------|
+| [`out/target_fields_audit.csv`](out/target_fields_audit.csv) | One row per `(file, line, matched_prefix)` with evidence snippet. |
+| [`out/target_fields_audit_summary.md`](out/target_fields_audit_summary.md) | Aggregates, **packages scanned** count, confidence legend, unique packages by tier/prefix, Tier A `(package, data_stream)` count, **full list** of integrations with hits. |
+
+Re-run after any change under `packages/`:
+
+```bash
+python3 dev/target-fields-audit/scan.py
+```
+
+The summary header records **`git HEAD`** at generation time for reproducibility.
+
+## Acceptance checklist (owner: you)
+
+- [ ] **Coverage:** `out/target_fields_audit_summary.md` answers package counts for Tier A/B/C and each prefix.
+- [ ] **Traceability:** Any summary number can be traced to rows in the CSV (same commit SHA as in summary).
+- [ ] **Reproducibility:** Re-running `scan.py` on the same commit reproduces the same row set (deterministic scan order and rules).
+
+## Latest full-scan totals (see summary for authoritative numbers)
+
+From the generated summary at implementation time:
+
+- **29** unique packages with at least one **Tier A** (pipeline) hit.
+- **37** unique packages with any hit (A, B, or C).
diff --git a/dev/target-fields-audit/OUTPUT.md b/dev/target-fields-audit/OUTPUT.md
new file mode 100644
index 00000000000..644c63675d5
--- /dev/null
+++ b/dev/target-fields-audit/OUTPUT.md
@@ -0,0 +1,49 @@
+# Checkpoint 2 — Output schema
+
+- [`out/security/`](out/security/) — optional **security-only** run (`--security-only` on each scanner); same filenames as above.
+
+## `target_fields_audit.csv`
+
+One row per `(file, line_number, matched_prefix)` when a line matches one or more prefixes.
+
+| Column | Description |
+|--------|-------------|
+| `tier` | `A`, `B`, or `C`. |
+| `package` | Integration package name. |
+| `data_stream` | Data stream folder name, or empty. |
+| `file` | Path relative to repository root. |
+| `line` | 1-based line number. |
+| `matched_prefix` | One of: `host.target.`, `user.target.`, `service.target.`, `entity.target.` |
+| `snippet` | Truncated line text (CSV-escaped; default max 240 chars). |
+
+Encoding: UTF-8.
+
+## `target_fields_audit_summary.md`
+
+Machine-generated from the CSV:
+
+- Git `HEAD` SHA, scan timestamp, and **total integration packages scanned** (directories under `packages/` for this run).
+- **Confidence legend:** `high` = any Tier A (pipeline); `medium` = Tier B only; `low` = Tier C only (see summary body).
+- Unique **package** counts by `tier` and by `matched_prefix` (Tier A/B/C tables).
+- Tier A unique `(package, data_stream)` pair count.
+- **Full list** of every package with at least one hit: `package`, `confidence`, `tiers`, row counts per tier, `prefixes_seen`.
+- Optional: if `scan.py --top-n N` with `N > 0`, a short “top N by Tier A rows” section is appended.
+
+## Enhancement scan (optional second pass)
+
+After `target_fields_audit.csv` exists, run `enhancement_scan.py` (see [README](README.md)) to produce:
+
+- `target_enhancement_packages.csv` — one row per package with boolean signals and a `priority` label.
+- `target_enhancement_report.md` — methodology, counts, and interpretation (heuristic backlog, not ground truth).
+
+## Vendor `*target*` scan (`vendor_target_scan.py`)
+
+- `vendor_target_special_cases.csv` — deduplicated dotted `field_path` values containing a `target` token, with `source` (`fields_yml_*`, `ingest_pipeline`, `expected_json`), `namespace_class`, and heuristic `suggest_bucket`.
+- `vendor_target_special_cases_report.md` — aggregates (e.g. packages with vendor-prefixed paths).
+- [`VENDOR_TARGET_ANALYSIS_PLAN.md`](VENDOR_TARGET_ANALYSIS_PLAN.md) — how to triage CSV rows into an ECS / `entity.target.*` backlog.
+
+## Destination identity review (`destination_identity_scan.py`)
+
+- `destination_identity_hits.csv` — pipeline lines referencing `destination.user` or `destination.host` / `destination.hostname`.
+- `destination_identity_review.md` — numbered package checklist (for one-by-one review) plus per-package detail.
+
diff --git a/dev/target-fields-audit/PILOT_VALIDATION.md b/dev/target-fields-audit/PILOT_VALIDATION.md
new file mode 100644
index 00000000000..d8d96c12cb4
--- /dev/null
+++ b/dev/target-fields-audit/PILOT_VALIDATION.md
@@ -0,0 +1,31 @@
+# Checkpoint 3 — Pilot run (for human sign-off)
+
+## Command
+
+```bash
+python3 dev/target-fields-audit/scan.py \
+  --only-packages vectra_detect,cyberarkpas,nginx,redis,apache,mysql_enterprise,okta \
+  --output-dir dev/target-fields-audit/out/pilot
+```
+
+## Pilot packages
+
+| Package | Rationale |
+|---------|-----------|
+| vectra_detect | Known `user.target.*` pipeline usage |
+| cyberarkpas | Known `user.target.*` pipeline usage |
+| mysql_enterprise | Known pipeline + fields from earlier repo search |
+| okta | Known pipeline usage |
+| nginx, redis, apache | Likely low/no hit sanity check |
+
+## Automated self-check (implementation)
+
+- **Tier A** rows in pilot CSV must reference real processor lines (e.g. `set:`, `field:`, `rename`, `value:`) for known positives; pilot output is under [`out/pilot/`](out/pilot/).
+- **Inline comment false positives:** Lines where a prefix appeared only after ` #` in YAML are excluded from matching (see [`SCOPE.md`](SCOPE.md)); snippets still show the full line for audit.
+
+## Acceptance (owner: you)
+
+- [ ] Spot-check 10–20 rows in `out/pilot/target_fields_audit.csv` for correct **tier** (path-based) and **prefix**.
+- [ ] Confirm a known integration (e.g. `vectra_detect` or `cyberarkpas`) still appears for `user.target.` in **Tier A** after the comment heuristic.
+
+If precision is below expectation, run with `--ignore-yaml-comments` or proceed to [PLAN_B.md](PLAN_B.md).
diff --git a/dev/target-fields-audit/PLAN_B.md b/dev/target-fields-audit/PLAN_B.md
new file mode 100644
index 00000000000..b4f7c60a3bc
--- /dev/null
+++ b/dev/target-fields-audit/PLAN_B.md
@@ -0,0 +1,12 @@
+# Plan B — If substring scan is insufficient
+
+Use when Checkpoint 3/4 validation shows **too many false positives** or **missed dynamic mappings**.
+
+| Symptom | Remediation |
+|--------|----------------|
+| Noise in Tier A/B/C | YAML-aware walk: only scan processor string values (`field`, `target_field`, `copy_from`, `rename`, `value`, etc.); ignore comments structurally. |
+| Missed `ctx.*` / Painless | Optional second pass: extract string literals from `script` `source` blocks; merge with tier A rows flagged `confidence=low`. |
+| Need ECS alignment | Cross-reference matched tokens against a pinned **ECS** `field` list JSON; add column `ecs_known=true/false`. |
+| Ongoing drift | Add a scheduled GitHub Action (manual or cron) that runs `scan.py` and uploads `out/` as a workflow artifact. |
+
+The default tool remains `scan.py` until one of the above is implemented.
diff --git a/dev/target-fields-audit/README.md b/dev/target-fields-audit/README.md
new file mode 100644
index 00000000000..c35ec79526a
--- /dev/null
+++ b/dev/target-fields-audit/README.md
@@ -0,0 +1,109 @@
+# ECS `*.target.*` integration audit
+
+Deterministic inventory of references to `host.target.*`, `user.target.*`, `service.target.*`, and `entity.target.*` under [`packages/`](../../packages/).
+
+## Documents
+
+- [SCOPE.md](SCOPE.md) — tier definitions, prefixes, defaults (Checkpoint 1).
+- [OUTPUT.md](OUTPUT.md) — CSV and summary schema (Checkpoint 2).
+- [PILOT_VALIDATION.md](PILOT_VALIDATION.md) — pilot command and human sign-off checklist (Checkpoint 3).
+- [CHECKPOINT4.md](CHECKPOINT4.md) — full-scan artifacts and acceptance checklist (Checkpoint 4).
+- [PLAN_B.md](PLAN_B.md) — contingencies if substring matching is insufficient.
+
+## Requirements
+
+Python 3.10+ (stdlib only).
+
+## Usage
+
+From the repository root:
+
+```bash
+python3 dev/target-fields-audit/scan.py
+```
+
+Pilot (subset of packages):
+
+```bash
+python3 dev/target-fields-audit/scan.py \
+  --only-packages vectra_detect,cyberarkpas,nginx,redis,apache \
+  --output-dir dev/target-fields-audit/out/pilot
+```
+
+Stricter Tier A (skip whole-line `#` comments only):
+
+```bash
+python3 dev/target-fields-audit/scan.py --ignore-yaml-comments
+```
+
+Optional compact “top N by Tier A rows” section in the Markdown summary:
+
+```bash
+python3 dev/target-fields-audit/scan.py --top-n 20
+```
+
+## Security-tagged integrations only (`categories: security`)
+
+To restrict all scans to packages whose root [`manifest.yml`](../../packages/okta/manifest.yml) lists the **`security`** category (273 packages in this repo), use `--security-only` and a dedicated output directory:
+
+```bash
+mkdir -p dev/target-fields-audit/out/security
+python3 dev/target-fields-audit/scan.py --security-only --output-dir dev/target-fields-audit/out/security
+python3 dev/target-fields-audit/enhancement_scan.py \
+  --security-only \
+  --audit-csv dev/target-fields-audit/out/security/target_fields_audit.csv \
+  --output-dir dev/target-fields-audit/out/security
+python3 dev/target-fields-audit/vendor_target_scan.py --security-only --output-dir dev/target-fields-audit/out/security
+```
+
+Helper: [`manifest_util.py`](manifest_util.py) (`security_package_names()`).
+
+## Enhancement opportunities (broader heuristics)
+
+Second pass: packages that **do not** yet map ECS `*.target.*` in pipelines (per audit CSV) but show **destination / actor / fixture / docs** signals that might justify `host|user|service|entity.target.*` or generic `entity.target.*`:
+
+```bash
+python3 dev/target-fields-audit/enhancement_scan.py
+```
+
+Writes [`out/target_enhancement_report.md`](out/target_enhancement_report.md) and [`out/target_enhancement_packages.csv`](out/target_enhancement_packages.csv). Re-run after refreshing `target_fields_audit.csv` with `scan.py`.
+
+## Vendor `*target*` fields (e.g. `okta.target`)
+
+Per-integration dotted paths and pipeline assignments that contain `target` but are **not** necessarily ECS `host|user|service|entity.target.*`:
+
+```bash
+python3 dev/target-fields-audit/vendor_target_scan.py
+```
+
+Produces [`out/vendor_target_special_cases.csv`](out/vendor_target_special_cases.csv), [`out/vendor_target_special_cases_report.md`](out/vendor_target_special_cases_report.md), and the triage playbook [`VENDOR_TARGET_ANALYSIS_PLAN.md`](VENDOR_TARGET_ANALYSIS_PLAN.md).
+
+## `destination.user` / `destination.host` review list
+
+Per-integration checklist for manual review (ingest pipeline references only):
+
+```bash
+python3 dev/target-fields-audit/destination_identity_scan.py
+python3 dev/target-fields-audit/destination_identity_scan.py --security-only --output-dir dev/target-fields-audit/out/security
+```
+
+Writes `destination_identity_hits.csv` (line-level) and `destination_identity_review.md` (numbered package checklist + detail).
+
+## Stakeholder matrix (all 445 packages)
+
+```bash
+python3 dev/target-fields-audit/stakeholder_matrix.py
+```
+
+See [`STAKEHOLDER_MATRIX.md`](STAKEHOLDER_MATRIX.md) — outputs [`out/packages_stakeholder_matrix.csv`](out/packages_stakeholder_matrix.csv).
+
+## Outputs
+
+Written to `out/` by default:
+
+- `target_fields_audit.csv`
+- `target_fields_audit_summary.md`
+
+## Plan B
+
+If substring search is too noisy or misses dynamic Painless literals, see the Plan B table in the execution plan: YAML-aware processor walk, script literal extraction, or ECS field list cross-check. This directory can host a follow-up `scan_ast.py` without changing the default CSV schema.
diff --git a/dev/target-fields-audit/SCOPE.md b/dev/target-fields-audit/SCOPE.md
new file mode 100644
index 00000000000..cd9d1cd2486
--- /dev/null
+++ b/dev/target-fields-audit/SCOPE.md
@@ -0,0 +1,37 @@
+# Checkpoint 1 — Approved scope (defaults from execution plan)
+
+This document freezes scope for the ECS `*.target.*` audit unless explicitly revised.
+
+## Tiers
+
+| Tier | Path rule | Meaning |
+|------|-----------|---------|
+| **A** | Under `packages/`, path contains `/elasticsearch/ingest_pipeline/`, file ends with `.yml` or `.yaml` | Ingest pipeline logic (strong signal). |
+| **B** | Under `packages/`, path contains `/fields/`, file ends with `.yml` | Field definitions (weaker; schema only). |
+| **C** | Under `packages/`, path contains `/kibana/`, file ends with `.json` | Kibana saved objects (separate appendix; not ingest). |
+
+## Field prefixes (substring match)
+
+- `host.target.`
+- `user.target.`
+- `service.target.`
+- `entity.target.`
+
+## Excluded patterns (enhancement scan)
+
+- **`related.*`** (e.g. `related.user`) is not treated as a target signal: related entities may be actor or target without disambiguation in the catalog.
+
+## Integration grain
+
+- **package**: first path segment under `packages/` (e.g. `okta`).
+- **data_stream**: segment after `data_stream/` when present; otherwise empty.
+- **file**: repository-relative path.
+
+## Comments
+
+- **Whole-line** `#` comments: skipped when using `--ignore-yaml-comments`.
+- **End-of-line** comments: by default, text after a ` #` sequence (space + hash) is ignored for prefix matching only (heuristic; not a YAML lexer). Snippets in the CSV still show the full original line.
+
+## Tier C handling
+
+Tier C hits are reported in the same CSV with `tier=C` and summarized separately so pipeline counts stay comparable across integrations.
diff --git a/dev/target-fields-audit/STAKEHOLDER_MATRIX.md b/dev/target-fields-audit/STAKEHOLDER_MATRIX.md
new file mode 100644
index 00000000000..055b47e84d5
--- /dev/null
+++ b/dev/target-fields-audit/STAKEHOLDER_MATRIX.md
@@ -0,0 +1,43 @@
+# Stakeholder matrix — `packages_stakeholder_matrix.csv`
+
+## Generate
+
+```bash
+python3 dev/target-fields-audit/stakeholder_matrix.py
+```
+
+Output: [`out/packages_stakeholder_matrix.csv`](out/packages_stakeholder_matrix.csv) — **445 rows** (one per integration under `packages/`).
+
+## Columns
+
+| Column | Values | Source |
+|--------|--------|--------|
+| **package** | integration directory name | `packages/<name>/` |
+| **security category** | Y / N | Root `manifest.yml` lists catalog category `security` |
+| **observability category** | Y / N | Root `manifest.yml` lists catalog category `observability` |
+| **graph visualization support** | `supported` / `identified potential` / `missing` | Heuristic from audit artifacts (see below) |
+| **new strategy support (destination field)** | Y / N | Y if ingest pipeline references `destination.user` or `destination.host` / `destination.hostname` ([`destination_identity_hits.csv`](out/destination_identity_hits.csv)) |
+| **support verified** | Y / N | Defaults to **N** (automated scan only). Set **Y** manually after product review. |
+| **other catalog categories** | text (may be empty) | All other categories from the same manifest, joined with `; ` (e.g. `network; threat_intel`). Excludes `security` and `observability`. Last column for easy filtering in spreadsheets. |
+
+## Graph visualization support (automated rules)
+
+Priority order:
+
+1. **`supported`** — Tier **A** hit in [`target_fields_audit.csv`](out/target_fields_audit.csv): pipeline maps ECS `host.target.*`, `user.target.*`, `service.target.*`, or `entity.target.*`.
+2. **`identified potential`** — Not Tier A, but at least one of:
+   - **new strategy** destination field (Y above), or
+   - ECS `*.target.*` only in Tier **B** (fields) or **C** (Kibana JSON), or
+   - Vendor-namespaced `*target*` path in [`vendor_target_special_cases.csv`](out/vendor_target_special_cases.csv) (`vendor_root` / `vendor_namespaced`).
+3. **`missing`** — None of the above.
+
+## Inputs refreshed when re-running
+
+Re-run upstream scans first if the repo changed:
+
+```bash
+python3 dev/target-fields-audit/scan.py
+python3 dev/target-fields-audit/destination_identity_scan.py
+python3 dev/target-fields-audit/vendor_target_scan.py
+python3 dev/target-fields-audit/stakeholder_matrix.py
+```
diff --git a/dev/target-fields-audit/VENDOR_TARGET_ANALYSIS_PLAN.md b/dev/target-fields-audit/VENDOR_TARGET_ANALYSIS_PLAN.md
new file mode 100644
index 00000000000..d2febac3bbf
--- /dev/null
+++ b/dev/target-fields-audit/VENDOR_TARGET_ANALYSIS_PLAN.md
@@ -0,0 +1,58 @@
+# Analysis plan — vendor `*target*` fields → ECS target / `entity.target.*`
+
+## Goal
+
+Turn `vendor_target_special_cases.csv` into an actionable backlog: which integrations expose
+vendor-specific **target** semantics (`okta.target`, `canva.audit.target.*`, `azure.provisioning.properties.target_identity.*`, …)
+and how to normalise them at ingest or in ES|QL (`CASE` / `COALESCE`) into `user.target.*`, `host.target.*`,
+`service.target.*`, or **`entity.target.*`** when classification is unclear.
+
+## Inputs
+
+| Artifact | Use |
+| --- | --- |
+| [`out/vendor_target_special_cases.csv`](out/vendor_target_special_cases.csv) | One row per deduplicated field path + where it was found (fields vs pipeline vs fixture). |
+| [`out/vendor_target_special_cases_report.md`](out/vendor_target_special_cases_report.md) | Package-level counts and namespace mix. |
+| [`out/target_fields_audit.csv`](out/target_fields_audit.csv) | Already-mapped ECS `*.target.*` (avoid duplicate work). |
+| [`out/target_enhancement_packages.csv`](out/target_enhancement_packages.csv) | Broader destination/actor heuristics per integration. |
+
+## Triage workflow (recommended)
+
+### Step 1 — Filter vendor signal
+
+In the CSV, keep rows where `namespace_class` is `vendor_root` or `vendor_namespaced`.
+These are the closest analogues to `okta.target`.
+
+### Step 2 — Group by `package` + `data_stream`
+
+Produce a short table per data stream: distinct `field_path`, `source`, and whether the path
+already appears in `target_fields_audit.csv` for that package (Tier A ECS target).
+
+### Step 3 — Semantic review (human)
+
+For each field path, answer:
+
+1. **Actor vs target** — Is this the object acted upon, or the initiating principal?
+2. **Cardinality** — Single object vs collection (e.g. `okta.target` list)?
+3. **ECS mapping** — `user.target.*`, `host.target.*`, `service.target.*`, or fallback `entity.target.*`?
+
+### Step 4 — Runtime ES|QL prototype
+
+For the top N integrations by hit count, draft a `CASE` chain (see Elastic `CASE` docs) ordered:
+existing ECS `*.target.*` → vendor `*.target.*` identity fields → generic `entity.target.*`.
+
+### Step 5 — Validate on fixtures
+
+Use rows with `source=expected_json` to run simulate / sample queries against golden documents.
+
+## Reporting outputs (for stakeholders)
+
+1. **Executive one-pager:** X integrations with vendor `*target*` paths; Y already overlap ECS target; Z net-new.
+2. **Per-integration appendix:** field_path list + recommended ECS bucket + confidence.
+3. **Runtime matrix:** integration → ES|QL fragment version (for reuse in Kibana).
+
+## Caveats
+
+- Nested `fields.yml` stack parsing can miss unusual YAML; re-run after major field refactors.
+- Keys in `expected.json` may include escaped vendor blobs; treat as hints.
+- Paths like `oracle.memory.pga.aggregate_target` are **not** security “target entity” semantics — filter with an exclusion list as you learn them.
diff --git a/dev/target-fields-audit/destination_identity_scan.py b/dev/target-fields-audit/destination_identity_scan.py
new file mode 100644
index 00000000000..8a231f6a4fa
--- /dev/null
+++ b/dev/target-fields-audit/destination_identity_scan.py
@@ -0,0 +1,279 @@
+#!/usr/bin/env python3
+"""
+List integrations that reference destination.user or destination.host in ingest pipelines.
+
+Produces a per-line CSV and a package-grouped Markdown review list for manual triage.
+"""
+
+from __future__ import annotations
+
+import argparse
+import csv
+import re
+import subprocess
+import sys
+from collections import defaultdict
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+
+_SCRIPT_DIR = Path(__file__).resolve().parent
+if str(_SCRIPT_DIR) not in sys.path:
+    sys.path.insert(0, str(_SCRIPT_DIR))
+
+import scan as sc  # noqa: E402
+import manifest_util  # noqa: E402
+
+RE_PIPELINE_ASSIGN = re.compile(
+    r"(?i)(?:target_field|field|copy_from|rename|set)\s*:\s*([a-z0-9_.]+)",
+)
+
+# Match ECS destination identity paths (not related.*).
+RE_DEST_USER = re.compile(r"destination\.user(?:\.|\b)", re.IGNORECASE)
+RE_DEST_HOST = re.compile(r"destination\.(?:host|hostname)(?:\.|\b)", re.IGNORECASE)
+
+MAX_PIPELINE_LINES = 80_000
+
+
+@dataclass
+class Hit:
+    package: str
+    data_stream: str
+    dest_kind: str  # destination.user | destination.host
+    file: str
+    line: int
+    field_path: str
+    snippet: str
+
+
+def parse_data_stream(rel_parts: list[str]) -> str:
+    try:
+        i = rel_parts.index("data_stream")
+        if i + 1 < len(rel_parts):
+            return rel_parts[i + 1]
+    except ValueError:
+        pass
+    return ""
+
+
+def classify_dest_kind(text: str) -> list[str]:
+    hay = sc.line_for_prefix_search(text)
+    kinds: list[str] = []
+    if RE_DEST_USER.search(hay):
+        kinds.append("destination.user")
+    if RE_DEST_HOST.search(hay):
+        kinds.append("destination.host")
+    return kinds
+
+
+def scan_pipeline_file(pkg: str, path: Path, rel: str) -> list[Hit]:
+    hits: list[Hit] = []
+    parts = rel.split("/")
+    ds = parse_data_stream(parts)
+    try:
+        lines = path.read_text(encoding="utf-8", errors="replace").splitlines()
+    except OSError:
+        return hits
+    if len(lines) > MAX_PIPELINE_LINES:
+        lines = lines[:MAX_PIPELINE_LINES]
+
+    for i, raw in enumerate(lines, start=1):
+        if sc.should_skip_line(raw, False):
+            continue
+        line = sc.line_for_prefix_search(raw)
+        kinds = classify_dest_kind(line)
+        if not kinds:
+            continue
+        snippet = raw.strip()
+        if len(snippet) > 240:
+            snippet = snippet[:237] + "..."
+        paths_found: set[str] = set()
+        for m in RE_PIPELINE_ASSIGN.finditer(line):
+            val = m.group(1)
+            for k in kinds:
+                if k == "destination.user" and RE_DEST_USER.search(val):
+                    paths_found.add(val)
+                elif k == "destination.host" and RE_DEST_HOST.search(val):
+                    paths_found.add(val)
+        if not paths_found:
+            for k in kinds:
+                hits.append(Hit(pkg, ds, k, rel, i, k, snippet))
+        else:
+            for val in sorted(paths_found):
+                if RE_DEST_USER.search(val):
+                    hits.append(Hit(pkg, ds, "destination.user", rel, i, val, snippet))
+                if RE_DEST_HOST.search(val):
+                    hits.append(Hit(pkg, ds, "destination.host", rel, i, val, snippet))
+    return hits
+
+
+def iter_pipeline_files(pkg_dir: Path) -> list[Path]:
+    paths: list[Path] = []
+    for pattern in (
+        "data_stream/**/elasticsearch/ingest_pipeline/*.yml",
+        "data_stream/**/elasticsearch/ingest_pipeline/*.yaml",
+    ):
+        paths.extend(pkg_dir.glob(pattern))
+    return paths
+
+
+def git_head(repo: Path) -> str:
+    try:
+        return subprocess.check_output(
+            ["git", "-C", str(repo), "rev-parse", "HEAD"],
+            stderr=subprocess.DEVNULL,
+            text=True,
+        ).strip()
+    except (subprocess.CalledProcessError, FileNotFoundError):
+        return "unknown"
+
+
+def write_csv(path: Path, hits: list[Hit]) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    with path.open("w", encoding="utf-8", newline="") as f:
+        w = csv.writer(f)
+        w.writerow(
+            ["package", "data_stream", "dest_kind", "file", "line", "field_path", "snippet"]
+        )
+        for h in hits:
+            w.writerow(
+                [h.package, h.data_stream, h.dest_kind, h.file, h.line, h.field_path, h.snippet]
+            )
+
+
+def write_review_md(path: Path, hits: list[Hit], packages_scanned: int, filter_note: str, sha: str) -> None:
+    ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+    by_pkg: dict[str, list[Hit]] = defaultdict(list)
+    for h in hits:
+        by_pkg[h.package].append(h)
+
+    pkg_has_user: set[str] = set()
+    pkg_has_host: set[str] = set()
+    for h in hits:
+        if h.dest_kind == "destination.user":
+            pkg_has_user.add(h.package)
+        else:
+            pkg_has_host.add(h.package)
+
+    lines: list[str] = [
+        "# Destination identity review list",
+        "",
+        f"- **git HEAD:** `{sha}`",
+        f"- **generated (UTC):** {ts}",
+        f"- **integration packages scanned:** {packages_scanned}",
+        f"- **packages with `destination.user` in pipeline:** {len(pkg_has_user)}",
+        f"- **packages with `destination.host` / `destination.hostname` in pipeline:** {len(pkg_has_host)}",
+        f"- **packages with either:** {len(by_pkg)}",
+        f"- **evidence rows:** {len(hits)}",
+        "",
+    ]
+    if filter_note:
+        lines.append(f"- **filter:** {filter_note}")
+        lines.append("")
+
+    lines.extend(
+        [
+            "Use [`destination_identity_hits.csv`](destination_identity_hits.csv) for line-level evidence.",
+            "",
+            "## Package checklist (sorted A–Z)",
+            "",
+            "Review each integration: confirm whether `destination.user` / `destination.host`",
+            "represents the **target** of the action (candidate for `user.target.*` / `host.target.*`)",
+            "or only network/session context.",
+            "",
+            "| # | package | destination.user | destination.host | data_streams |",
+            "| ---: | --- | :---: | :---: | --- |",
+        ]
+    )
+
+    for idx, pkg in enumerate(sorted(by_pkg.keys()), start=1):
+        ph = by_pkg[pkg]
+        has_u = "yes" if pkg in pkg_has_user else ""
+        has_h = "yes" if pkg in pkg_has_host else ""
+        streams = ", ".join(sorted({h.data_stream for h in ph if h.data_stream}))
+        lines.append(f"| {idx} | {pkg} | {has_u} | {has_h} | {streams} |")
+
+    lines.append("")
+    lines.append("## Per-package detail")
+    lines.append("")
+
+    for pkg in sorted(by_pkg.keys()):
+        ph = sorted(by_pkg[pkg], key=lambda x: (x.data_stream, x.file, x.line))
+        lines.append(f"### {pkg}")
+        lines.append("")
+        for h in ph:
+            ds = h.data_stream or "(package-level)"
+            lines.append(
+                f"- **{h.dest_kind}** — `{h.field_path}` — `{h.file}:{h.line}` — data_stream: `{ds}`"
+            )
+        lines.append("")
+
+    path.write_text("\n".join(lines), encoding="utf-8")
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(
+        description="List packages referencing destination.user or destination.host in pipelines"
+    )
+    ap.add_argument("--repo-root", type=Path, default=_SCRIPT_DIR.parents[1])
+    ap.add_argument("--output-dir", type=Path, default=_SCRIPT_DIR / "out")
+    ap.add_argument(
+        "--security-only",
+        action="store_true",
+        help="Only packages with manifest category `security`",
+    )
+    args = ap.parse_args()
+
+    repo = args.repo_root.resolve()
+    packages = repo / "packages"
+    if not packages.is_dir():
+        print(f"error: {packages}", file=sys.stderr)
+        return 1
+
+    sec: set[str] | None = None
+    if args.security_only:
+        sec = manifest_util.security_package_names(packages)
+
+    all_hits: list[Hit] = []
+    scanned = 0
+    for pkg_dir in sorted(packages.iterdir()):
+        if not pkg_dir.is_dir():
+            continue
+        pkg = pkg_dir.name
+        if sec is not None and pkg not in sec:
+            continue
+        scanned += 1
+        for path in iter_pipeline_files(pkg_dir):
+            rel = str(path.relative_to(repo)).replace("\\", "/")
+            all_hits.extend(scan_pipeline_file(pkg, path, rel))
+
+    dedup: dict[tuple[str, str, str, str, int], Hit] = {}
+    for h in all_hits:
+        k = (h.package, h.dest_kind, h.file, h.field_path, h.line)
+        dedup[k] = h
+    hits = sorted(
+        dedup.values(),
+        key=lambda x: (x.package, x.dest_kind, x.data_stream, x.file, x.line),
+    )
+
+    out = args.output_dir.resolve()
+    csv_path = out / "destination_identity_hits.csv"
+    md_path = out / "destination_identity_review.md"
+    write_csv(csv_path, hits)
+
+    filter_note = ""
+    if args.security_only:
+        filter_note = (
+            "Only integrations whose root manifest lists the `security` category."
+        )
+    write_review_md(md_path, hits, scanned, filter_note, git_head(repo))
+
+    print(f"packages scanned: {scanned}")
+    print(f"packages with hits: {len({h.package for h in hits})}")
+    print(f"rows -> {csv_path}")
+    print(f"review -> {md_path}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/dev/target-fields-audit/enhancement_scan.py b/dev/target-fields-audit/enhancement_scan.py
new file mode 100644
index 00000000000..937cf327cf9
--- /dev/null
+++ b/dev/target-fields-audit/enhancement_scan.py
@@ -0,0 +1,413 @@
+#!/usr/bin/env python3
+"""
+Heuristic scan for integrations that may be enhanced with ECS *target* semantics
+(host.target.*, user.target.*, service.target.*, entity.target.*), including
+generic entity.target.* when classification is unclear.
+
+Reads existing pipeline/field evidence from target_fields_audit.csv when present,
+and adds broader signals from ingest pipelines, pipeline test fixtures (*expected.json),
+and package docs.
+
+This is engineering judgment from repository text — not runtime log analysis.
+"""
+
+from __future__ import annotations
+
+import argparse
+import csv
+import re
+import subprocess
+import sys
+from collections import defaultdict
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+
+# Import shared helpers from sibling module
+_SCRIPT_DIR = Path(__file__).resolve().parent
+if str(_SCRIPT_DIR) not in sys.path:
+    sys.path.insert(0, str(_SCRIPT_DIR))
+
+import scan as sc  # noqa: E402
+import manifest_util  # noqa: E402
+
+MAX_FIXTURE_BYTES = 4_000_000
+MAX_DOC_BYTES = 400_000
+
+# Ingest pipeline: identity-like destination (maps cleanly to "who/what was targeted").
+RE_PIPELINE_DEST_IDENTITY = re.compile(
+    r"destination\.(user|host|hostname|domain|username|email)",
+    re.IGNORECASE,
+)
+
+# Network-style destination (common; weaker signal alone).
+RE_PIPELINE_DEST_NETWORK = re.compile(
+    r"destination\.(address|ip|ipv6|mac|port|geo\.|bytes|packets)",
+    re.IGNORECASE,
+)
+
+# Actor / victim / impersonation language (excludes related.* — actor vs target is ambiguous).
+RE_PIPELINE_ACTOR = re.compile(
+    r"(\b(principal|impersonat|victim)\b|protoPayload\.(authentication|authorization)|"
+    r"threat\.target|source\.user\.(name|id)|user\.changes\.)",
+    re.IGNORECASE,
+)
+
+# Generic ECS entity.* (not already entity.target.*) may be a mapping source.
+RE_PIPELINE_ENTITY_OTHER = re.compile(
+    r"entity\.(id|name|type|domain)(\.|\b)",
+    re.IGNORECASE,
+)
+
+# Fixture / doc patterns
+RE_FIXTURE_STRONG = re.compile(
+    r"(destination\.(user|host|hostname|domain|username|email)|"
+    r"\"(host|user|service|entity)\.target\.|"
+    r"\"[^\"]{0,64}[Tt]arget[^\"]{0,64}\"\s*:)",
+    re.IGNORECASE,
+)
+
+RE_DOCS_LEXICON = re.compile(
+    r"(target (user|host|resource|principal|account|service)|"
+    r"affected (user|host|resource|asset)|security principal|"
+    r"resource (affected|targeted)|\bvictim\b|impersonat|"
+    r"subject (of|user)|object (user|principal)|"
+    r"who was (targeted|affected)|principal (that|was))",
+    re.IGNORECASE,
+)
+
+
+@dataclass
+class PackageSignals:
+    ecs_target_pipeline: bool = False  # from audit CSV: Tier A + ECS target prefixes
+    pipeline_dest_identity: bool = False
+    pipeline_dest_network: bool = False
+    pipeline_actor: bool = False
+    pipeline_entity_other: bool = False
+    fixture_strong: bool = False
+    docs_lexicon: bool = False
+
+    def pipeline_any(self) -> bool:
+        return (
+            self.pipeline_dest_identity
+            or self.pipeline_dest_network
+            or self.pipeline_actor
+            or self.pipeline_entity_other
+        )
+
+
+def load_ecs_target_packages_from_audit(csv_path: Path) -> set[str]:
+    if not csv_path.is_file():
+        return set()
+    out: set[str] = set()
+    with csv_path.open(encoding="utf-8", newline="") as f:
+        for row in csv.DictReader(f):
+            if row.get("tier") == "A" and row.get("matched_prefix") in sc.PREFIXES:
+                out.add(row["package"])
+    return out
+
+
+def scan_pipeline_file(path: Path, sig: PackageSignals) -> None:
+    try:
+        text = path.read_text(encoding="utf-8", errors="replace")
+    except OSError:
+        return
+    ecs_hit = False
+    for line in text.splitlines():
+        if sc.should_skip_line(line, False):
+            continue
+        hay = sc.line_for_prefix_search(line)
+        if sc.line_matches_prefixes(line):
+            ecs_hit = True
+        if RE_PIPELINE_DEST_IDENTITY.search(hay):
+            sig.pipeline_dest_identity = True
+        if RE_PIPELINE_DEST_NETWORK.search(hay):
+            sig.pipeline_dest_network = True
+        if RE_PIPELINE_ACTOR.search(hay):
+            sig.pipeline_actor = True
+        if RE_PIPELINE_ENTITY_OTHER.search(hay):
+            sig.pipeline_entity_other = True
+    if ecs_hit:
+        sig.ecs_target_pipeline = True
+
+
+def scan_fixture_file(path: Path, sig: PackageSignals) -> None:
+    try:
+        sz = path.stat().st_size
+        if sz > MAX_FIXTURE_BYTES:
+            data = path.read_bytes()[:MAX_FIXTURE_BYTES].decode("utf-8", errors="replace")
+        else:
+            data = path.read_text(encoding="utf-8", errors="replace")
+    except OSError:
+        return
+    if RE_FIXTURE_STRONG.search(data):
+        sig.fixture_strong = True
+
+
+def scan_doc_file(path: Path, sig: PackageSignals) -> None:
+    try:
+        data = path.read_text(encoding="utf-8", errors="replace")
+        if len(data) > MAX_DOC_BYTES:
+            data = data[:MAX_DOC_BYTES]
+    except OSError:
+        return
+    if RE_DOCS_LEXICON.search(data):
+        sig.docs_lexicon = True
+
+
+def classify_priority(
+    ecs_from_audit: bool,
+    s: PackageSignals,
+) -> str:
+    """Single label per package for reporting."""
+    if ecs_from_audit or s.ecs_target_pipeline:
+        return "already_maps_ecs_target"
+    if s.pipeline_dest_identity or s.pipeline_actor:
+        return "strong_candidate"
+    if s.fixture_strong or s.pipeline_entity_other:
+        return "moderate_candidate"
+    if s.pipeline_dest_network:
+        return "moderate_candidate_network_dest"
+    if s.docs_lexicon:
+        return "exploratory_docs"
+    return "none"
+
+
+def iter_package_dirs(packages_dir: Path) -> list[Path]:
+    return sorted(p for p in packages_dir.iterdir() if p.is_dir())
+
+
+def analyze_package(pkg_dir: Path, ecs_from_audit: set[str]) -> PackageSignals:
+    name = pkg_dir.name
+    sig = PackageSignals()
+
+    for path in pkg_dir.rglob("*"):
+        if not path.is_file():
+            continue
+        rel = str(path.relative_to(pkg_dir.parent.parent)).replace("\\", "/")
+        if not rel.startswith(f"packages/{name}/"):
+            continue
+        rel_under = rel[len("packages/") + len(name) + 1 :]
+        tier = sc.classify_tier(f"{name}/{rel_under}")
+
+        if tier == "A" and (path.suffix in (".yml", ".yaml")):
+            scan_pipeline_file(path, sig)
+
+        if path.name.endswith("-expected.json") or path.name.endswith(".log-expected.json"):
+            if "/_dev/test/" in rel.replace("\\", "/"):
+                scan_fixture_file(path, sig)
+
+        if "/docs/" in rel and path.suffix.lower() == ".md":
+            scan_doc_file(path, sig)
+
+    if name in ecs_from_audit:
+        sig.ecs_target_pipeline = True
+
+    return sig
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description="ECS target enhancement opportunity scan")
+    ap.add_argument("--repo-root", type=Path, default=_SCRIPT_DIR.parents[1])
+    ap.add_argument(
+        "--audit-csv",
+        type=Path,
+        default=_SCRIPT_DIR / "out" / "target_fields_audit.csv",
+        help="Existing Tier A ECS target audit (optional)",
+    )
+    ap.add_argument("--output-dir", type=Path, default=_SCRIPT_DIR / "out")
+    ap.add_argument(
+        "--security-only",
+        action="store_true",
+        help="Only include packages whose root manifest.yml lists category `security`",
+    )
+    args = ap.parse_args()
+
+    repo_root = args.repo_root.resolve()
+    packages_dir = repo_root / "packages"
+    if not packages_dir.is_dir():
+        print(f"error: missing {packages_dir}", file=sys.stderr)
+        return 1
+
+    ecs_from_audit = load_ecs_target_packages_from_audit(args.audit_csv.resolve())
+
+    pkg_dirs = iter_package_dirs(packages_dir)
+    if args.security_only:
+        sec = manifest_util.security_package_names(packages_dir)
+        pkg_dirs = [p for p in pkg_dirs if p.name in sec]
+
+    rows: list[dict[str, str]] = []
+    by_priority: dict[str, list[str]] = defaultdict(list)
+
+    for pkg_dir in pkg_dirs:
+        name = pkg_dir.name
+        sig = analyze_package(pkg_dir, ecs_from_audit)
+        priority = classify_priority(name in ecs_from_audit, sig)
+        by_priority[priority].append(name)
+
+        rows.append(
+            {
+                "package": name,
+                "priority": priority,
+                "ecs_target_tierA_audit": str(name in ecs_from_audit).lower(),
+                "pipeline_dest_identity": str(sig.pipeline_dest_identity).lower(),
+                "pipeline_dest_network": str(sig.pipeline_dest_network).lower(),
+                "pipeline_actor": str(sig.pipeline_actor).lower(),
+                "pipeline_entity_other": str(sig.pipeline_entity_other).lower(),
+                "fixture_strong": str(sig.fixture_strong).lower(),
+                "docs_lexicon": str(sig.docs_lexicon).lower(),
+            }
+        )
+
+    rows.sort(key=lambda r: (r["priority"], r["package"]))
+
+    out_dir = args.output_dir.resolve()
+    out_dir.mkdir(parents=True, exist_ok=True)
+    csv_path = out_dir / "target_enhancement_packages.csv"
+    md_path = out_dir / "target_enhancement_report.md"
+
+    with csv_path.open("w", encoding="utf-8", newline="") as f:
+        fieldnames = [
+            "package",
+            "priority",
+            "ecs_target_tierA_audit",
+            "pipeline_dest_identity",
+            "pipeline_dest_network",
+            "pipeline_actor",
+            "pipeline_entity_other",
+            "fixture_strong",
+            "docs_lexicon",
+        ]
+        w = csv.DictWriter(f, fieldnames=fieldnames, extrasaction="ignore")
+        w.writeheader()
+        w.writerows(rows)
+
+    ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+    try:
+        audit_rel = args.audit_csv.resolve().relative_to(repo_root)
+    except ValueError:
+        audit_rel = args.audit_csv.resolve()
+    try:
+        sha = subprocess.check_output(
+            ["git", "-C", str(repo_root), "rev-parse", "HEAD"],
+            stderr=subprocess.DEVNULL,
+            text=True,
+        ).strip()
+    except (subprocess.CalledProcessError, FileNotFoundError):
+        sha = "unknown"
+
+    total = len(pkg_dirs)
+    total_safe = max(total, 1)
+    already = len(by_priority["already_maps_ecs_target"])
+    strong = len(by_priority["strong_candidate"])
+    mod = len(by_priority["moderate_candidate"])
+    mod_net = len(by_priority["moderate_candidate_network_dest"])
+    expl = len(by_priority["exploratory_docs"])
+    none = len(by_priority["none"])
+
+    # Non-overlapping enhancement funnel (exclude already mapped)
+    enhance_union = strong + mod + mod_net + expl
+
+    md_lines = [
+        "# ECS target semantics — enhancement opportunity report",
+        "",
+        f"- **git HEAD:** `{sha}`",
+        f"- **generated (UTC):** {ts}",
+        f"- **packages scanned:** {total}",
+        "",
+    ]
+    if args.security_only:
+        md_lines.extend(
+            [
+                "- **filter:** Only integrations whose root `packages/<name>/manifest.yml` includes the `security` category.",
+                "",
+            ]
+        )
+    md_lines.extend(
+        [
+        f"- **audit CSV used:** `{audit_rel}` (Tier A ECS `*.target.*` packages: {already})",
+        "",
+        "## What this report is (and is not)",
+        "",
+        "**Is:** A static, heuristic pass over this repository only — ingest pipeline YAML,",
+        "pipeline `*expected.json` fixtures (truncated for very large files), and `docs/**/*.md`.",
+        "Signals are meant to suggest where vendor logs *might* describe a second party",
+        "(user/host/service/resource) that could be modeled as ECS **target** fields or",
+        "**`entity.target.*`** when classification is unclear.",
+        "",
+        "**Is not:** Log volume, production field population, or vendor API guarantees.",
+        "Each row still needs product/security review before changing mappings.",
+        "",
+        "## Method — signal definitions",
+        "",
+        "| Signal | Meaning |",
+        "| --- | --- |",
+        "| `pipeline_dest_identity` | Pipeline references `destination.user`, `destination.host`, `destination.domain`, etc. |",
+        "| `pipeline_dest_network` | Pipeline references `destination.ip`, `destination.address`, ports/geo/bytes (common in flow logs). |",
+        "| `pipeline_actor` | `principal`, `victim`, `impersonat`, `protoPayload.authentication`, `source.user`, etc. (not `related.*`) |",
+        "| `pipeline_entity_other` | `entity.id` / `entity.name` / `entity.type` (not already `entity.target.*`). |",
+        "| `fixture_strong` | Pipeline expected JSON contains destination identity, ECS `*.target.*`, or JSON keys containing `target`. |",
+        "| `docs_lexicon` | Docs mention “target user/host”, “affected user”, “principal”, “victim”, etc. |",
+        "",
+        "## Priority labels (per package)",
+        "",
+        "| Label | Rule |",
+        "| --- | --- |",
+        "| `already_maps_ecs_target` | Listed with Tier A hits for `host|user|service|entity.target.*` in the audit CSV. |",
+        "| `strong_candidate` | Not already mapped **and** (`pipeline_dest_identity` **or** `pipeline_actor`). |",
+        "| `moderate_candidate` | Not stronger **and** (`fixture_strong` **or** `pipeline_entity_other`). |",
+        "| `moderate_candidate_network_dest` | Not stronger **and** only `pipeline_dest_network` among pipeline/fixture signals. |",
+        "| `exploratory_docs` | Not above **and** `docs_lexicon` only. |",
+        "| `none` | No heuristic signal. |",
+        "",
+        "## Counts",
+        "",
+        f"| Priority | Packages | Share of scanned |",
+        f"| --- | ---: | ---: |",
+        f"| Already maps ECS target (Tier A audit) | {already} | {already/total_safe:.1%} |",
+        f"| **Strong enhancement candidate** | {strong} | {strong/total_safe:.1%} |",
+        f"| Moderate (fixtures / generic entity) | {mod} | {mod/total_safe:.1%} |",
+        f"| Moderate (network `destination.*` only) | {mod_net} | {mod_net/total_safe:.1%} |",
+        f"| Exploratory (documentation phrasing only) | {expl} | {expl/total_safe:.1%} |",
+        f"| No signal | {none} | {none/total_safe:.1%} |",
+        "",
+        "### Interpretation",
+        "",
+        f"- **Already using ECS target fields in pipelines (audit):** {already} / {total} packages.",
+        f"- **Packages we would revisit first for new target mappings:** **{strong}** strong candidates.",
+        f"- **Broader backlog (includes weaker / noisier signals):** **{enhance_union}** packages "
+        f"(strong + moderate + moderate_network_only + exploratory), i.e. anything not `none` and not already mapped.",
+        f"- If you only trust identity/actor-style pipeline evidence, focus on the **{strong}** strong bucket first, "
+        f"then selectively pull from **{mod}** moderate cases after reviewing fixtures.",
+        "",
+        "**Note:** `strong_candidate` is an **upper bound**. Some regex matches (e.g. "
+        "`destination.host` in pure flow telemetry) reflect common ECS patterns without always "
+        "implying a distinct “target” entity for SIEM. Use [`target_enhancement_packages.csv`](target_enhancement_packages.csv) "
+        "to triage by toggling signals off in a spreadsheet filter.",
+        "",
+        "## Machine-readable output",
+        "",
+        f"- Per-package flags: [`target_enhancement_packages.csv`](target_enhancement_packages.csv)",
+        "",
+        "## Follow-ups (not automated here)",
+        "",
+        "- Vendor-specific field dictionaries (OCSF, ASIM, raw vendor `target*`) → ECS mapping tables.",
+        "- Runtime sampling / simulate ingest to confirm population rates.",
+        "- When entity type is unknown, map remaining attributes to **`entity.target.*`** per your placeholder rule.",
+        "",
+        ]
+    )
+    md_path.write_text("\n".join(md_lines), encoding="utf-8")
+
+    print(f"Wrote {csv_path} ({len(rows)} packages)")
+    print(f"Wrote {md_path}")
+    print(
+        f"Summary: total={total}, already_target={already}, "
+        f"strong={strong}, moderate={mod}, mod_net={mod_net}, exploratory={expl}, "
+        f"enhancement_backlog_union={enhance_union}"
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/dev/target-fields-audit/manifest_util.py b/dev/target-fields-audit/manifest_util.py
new file mode 100644
index 00000000000..3cbb02144b3
--- /dev/null
+++ b/dev/target-fields-audit/manifest_util.py
@@ -0,0 +1,76 @@
+"""Read integration package manifests under packages/<pkg>/manifest.yml."""
+
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+
+def parse_categories_block(text: str) -> list[str]:
+    """Extract category strings from the `categories:` YAML block (list or inline array)."""
+    m = re.search(r"(?ms)^categories:\s*(.*?)(?=^[a-zA-Z0-9_]+:\s*|\Z)", text)
+    if not m:
+        return []
+    block = m.group(1).strip()
+    if not block:
+        return []
+    if block.startswith("["):
+        inner = block.strip()
+        if inner.startswith("["):
+            inner = inner[1:]
+        if inner.endswith("]"):
+            inner = inner[:-1]
+        parts = re.split(r",\s*", inner)
+        return [p.strip().strip("'\"") for p in parts if p.strip()]
+    cats: list[str] = []
+    for line in block.splitlines():
+        line = line.strip()
+        if line.startswith("- "):
+            cats.append(line[2:].strip().strip("'\""))
+    return cats
+
+
+def package_names_with_category(packages_dir: Path, category: str) -> set[str]:
+    """Package directory names whose root manifest lists the given category (case-insensitive)."""
+    want = category.lower()
+    out: set[str] = set()
+    for manifest in sorted(packages_dir.glob("*/manifest.yml")):
+        pkg = manifest.parent.name
+        try:
+            text = manifest.read_text(encoding="utf-8", errors="replace")
+        except OSError:
+            continue
+        cats = [c.lower() for c in parse_categories_block(text)]
+        if want in cats:
+            out.add(pkg)
+    return out
+
+
+def security_package_names(packages_dir: Path) -> set[str]:
+    """Integrations tagged with `security` in root manifest categories."""
+    return package_names_with_category(packages_dir, "security")
+
+
+def load_package_categories(packages_dir: Path) -> dict[str, list[str]]:
+    """Map package name -> catalog categories from root manifest (lowercase, order preserved)."""
+    out: dict[str, list[str]] = {}
+    for manifest in sorted(packages_dir.glob("*/manifest.yml")):
+        pkg = manifest.parent.name
+        try:
+            text = manifest.read_text(encoding="utf-8", errors="replace")
+        except OSError:
+            out[pkg] = []
+            continue
+        out[pkg] = [c.lower() for c in parse_categories_block(text)]
+    return out
+
+
+def other_categories_label(
+    categories: list[str],
+    *,
+    exclude: frozenset[str] = frozenset({"security", "observability"}),
+    separator: str = "; ",
+) -> str:
+    """Join manifest categories excluding named ones (for stakeholder CSV)."""
+    rest = [c for c in categories if c not in exclude]
+    return separator.join(rest)
diff --git a/dev/target-fields-audit/out/destination_identity_hits.csv b/dev/target-fields-audit/out/destination_identity_hits.csv
new file mode 100644
index 00000000000..65d33935da6
--- /dev/null
+++ b/dev/target-fields-audit/out/destination_identity_hits.csv
@@ -0,0 +1,203 @@
+package,data_stream,dest_kind,file,line,field_path,snippet
+abnormal_security,ai_security_mailbox,destination.user,packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml,219,destination.user,- '^%{EMAILADDRESS:destination.user.email}$'
+abnormal_security,ai_security_mailbox,destination.user,packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml,220,destination.user,- '^%{DATA:destination.user.name}$'
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,81,json.destination.hostname,field: json.destination.hostname
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,83,beyondtrust_pra.access_session.destination.hostname,target_field: beyondtrust_pra.access_session.destination.hostname
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,88,beyondtrust_pra.access_session.destination.hostname,copy_from: beyondtrust_pra.access_session.destination.hostname
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,1019,destination.host,- beyondtrust_pra.access_session.destination.hostname
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,96,destination.user.id,field: destination.user.id
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,253,destination.user.name,field: destination.user.name
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,993,destination.user,"value: ""{{{destination.user.id}}}"""
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,998,destination.user,"value: ""{{{destination.user.name}}}"""
+cef,log,destination.user,packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml,123,destination.user,to: destination.user.email
+cef,log,destination.user,packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml,292,destination.user,value: ['{{{destination.user.email}}}']
+cef,log,destination.user,packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml,103,destination.user,value: '{{{destination.user.name}}}'
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,378,destination.user.name,field: destination.user.name
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,383,destination.user.domain,field: destination.user.domain
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,579,destination.user.email,target_field: destination.user.email
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,584,destination.user,"value: [""{{{destination.user.email}}}""]"
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,589,destination.user,"value: [""{{{destination.user.email}}}""]"
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,634,destination.user.id,target_field: destination.user.id
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,824,destination.user.name,field: destination.user.name
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1515,destination.user.email,target_field: destination.user.email
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1516,destination.user.name,field: destination.user.name
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1518,destination.user,"if: ctx.destination?.user?.email == null && ctx.destination?.user?.name != null && ctx.destination.user.name.indexOf(""@"") > 0"
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1520,destination.user.email,field: destination.user.email
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1521,destination.user,pattern: '%{destination.user.name}@%{destination.user.domain}'
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1529,destination.user,"value: ""{{{destination.user.id}}}"""
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1535,destination.user,"value: ""{{{destination.user.name}}}"""
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1541,destination.user,"value: ""{{{destination.user.email}}}"""
+checkpoint_email,event,destination.user,packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml,261,destination.user.email,field: destination.user.email
+checkpoint_email,event,destination.user,packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml,267,destination.user.email,field: destination.user.email
+checkpoint_email,event,destination.user,packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml,269,destination.user,pattern: '%{destination.user.name}@%{destination.user.domain}'
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2004,destination.user.name,field: destination.user.name
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2022,destination.user,"field: ""destination.user.name"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2026,destination.user,- (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:destination.user.email}
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2030,destination.user,"CISCO_USER_EMAIL: ""%{CISCO_USER}@%{HOSTNAME:destination.user.domain}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2031,destination.user,"CISCO_USER: ""%{USERNAME:destination.user.name}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2032,destination.user,CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)?
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3140,destination.user,description: copy destination.user.name to user.name if it is not set
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3142,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3226,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3227,destination.user,if: ctx?.destination?.user?.name != null && ctx.destination.user.name != '' && ctx.destination.user.name != '*****'
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3268,destination.user,"value: ""{{{destination.user.domain}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2176,destination.user.name,field: destination.user.name
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2202,destination.user,"field: ""destination.user.name"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2206,destination.user,- (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:destination.user.email}
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2210,destination.user,"CISCO_USER_EMAIL: ""%{CISCO_USER}@%{HOSTNAME:destination.user.domain}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2211,destination.user,"CISCO_USER: ""%{USERNAME:destination.user.name}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2212,destination.user,CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)?
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2995,destination.user,description: copy destination.user.name to user.name if it is not set
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2997,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3116,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3117,destination.user,if: ctx.destination?.user?.name != null && ctx.destination.user.name != ''
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3158,destination.user,"value: ""{{{destination.user.domain}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3159,destination.user,if: ctx.destination?.user?.domain != null && ctx.destination.user.domain != ''
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/alg_feature.yml,79,destination.user.domain,field: destination.user.domain
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/alg_feature.yml,84,destination.user.name,field: destination.user.name
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml,413,destination.user.name,field: destination.user.name
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml,414,destination.user.email,target_field: destination.user.email
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml,416,destination.user,"if: ctx.destination?.user?.name != null && ctx.destination.user.name.indexOf(""@"") > 0"
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml,418,destination.user.email,field: destination.user.email
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml,419,destination.user,pattern: '%{destination.user.name}@%{destination.user.domain}'
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml,427,destination.user,value: '{{{destination.user.name}}}'
+citrix_adc,log,destination.user,packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml,433,destination.user,value: '{{{destination.user.email}}}'
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,431,claroty_ctd.event.destination.host,target_field: claroty_ctd.event.destination.host
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,436,claroty_ctd.event.destination.host,copy_from: claroty_ctd.event.destination.host
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,441,destination.host,"value: ""{{{claroty_ctd.event.destination.host}}}"""
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,2144,destination.host,- claroty_ctd.event.destination.host
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1931,destination.user.domain,field: destination.user.domain
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1938,destination.user,value: '{{{destination.user.domain}}}'
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1947,destination.user.name,field: destination.user.name
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1954,destination.user,value: '{{{destination.user.name}}}'
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,87,destination.user.name,field: destination.user.name
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,88,destination.user.email,target_field: destination.user.email
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,90,destination.user,"if: ctx.destination?.user?.name != null && ctx.destination.user.name.indexOf(""@"") > 0"
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,92,destination.user.email,field: destination.user.email
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,93,destination.user,pattern: '%{destination.user.name}@%{destination.user.domain}'
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,100,destination.user,value: '{{{destination.user.name}}}'
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,106,destination.user,value: '{{{destination.user.email}}}'
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,504,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,522,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,612,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,752,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,771,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,792,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,815,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,848,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,867,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,886,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,907,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,935,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,950,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,1108,destination.user,value: '{{{destination.user.name}}}'
+fortinet_fortigate,log,destination.user,packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml,754,destination.user,"value: ""{{{destination.user.name}}}"""
+fortinet_fortigate,log,destination.user,packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml,117,destination.user.name,target_field: destination.user.name
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1403,destination.user.email,field: destination.user.email
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1458,destination.user.group.id,field: destination.user.group.id
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1464,destination.user.name,field: destination.user.name
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1469,destination.user.id,field: destination.user.id
+jumpcloud,events,destination.user,packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml,258,destination.user,"value: ""{{{destination.user.name}}}"""
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,131,destination.user.id,field: destination.user.id
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,135,destination.user.email,field: destination.user.email
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,310,destination.user.name,field: destination.user.name
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,314,destination.user.domain,field: destination.user.domain
+nozomi_networks,alert,destination.user,packages/nozomi_networks/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,188,destination.user.roles,field: destination.user.roles
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1019,destination.user,if (ctx.destination.user == null) {
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1020,destination.user,ctx.destination.user = new HashMap();
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1022,destination.user,ctx.destination.user.email = new ArrayList();
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1028,destination.user,ctx.destination.user.email.add(emails[e]);
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1032,destination.user,ctx.destination.user.email.add(emails);
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1156,destination.user.email,target_field: destination.user.email
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1172,destination.user.id,target_field: destination.user.id
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1437,destination.user,"String[] splitmail = ctx.destination.user.id.splitOnToken(""@"");"
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1441,destination.user,ctx.destination.user.email = ctx.destination.user.id;
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1442,destination.user,ctx.destination.user.domain = splitmail[1];
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1443,destination.user,ctx.destination.user.name = splitmail[0];
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1684,destination.user.email,field: destination.user.email
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1406,destination.user,- '^%{PATRUNKATEDHOSTNAME:destination.user.domain}\\%{USERNAME:destination.user.name}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1407,destination.user,- '^%{PATRUNKATEDHOSTNAME:destination.user.domain}\\\\%{USERNAME:destination.user.name}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1408,destination.user,- '^%{USERNAME:destination.user.name}@%{PATRUNKATEDHOSTNAME:destination.user.domain}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1409,destination.user,- '^%{GREEDYDATA:destination.user.name}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1423,panw.panos.destination.user,field: panw.panos.destination.user
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1424,destination.user.name,copy_from: destination.user.name
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1889,destination.user,value: '{{{destination.user.name}}}'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1980,destination.user,- panw.panos.destination.user
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml,235,destination.user.email,field: destination.user.email
+ping_federate,audit,destination.user,packages/ping_federate/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,350,destination.user,- destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,940,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1007,destination.user,- (?<prisma_access.event.pan_os_value.destination.user.domain>[^\\]*)[\\]*(?<prisma_access.event.pan_os_value.destination.user.name>[^\\]*)
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1012,prisma_access.event.pan_os_value.destination.user.name,target_field: prisma_access.event.pan_os_value.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1018,prisma_access.event.pan_os_value.destination.user.name,target_field: prisma_access.event.pan_os_value.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1021,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1023,destination.user,"value: ""{{{prisma_access.event.pan_os_value.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1027,destination.user.name,field: destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1029,destination.user,"value: ""{{{prisma_access.event.pan_os_value.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1035,destination.user,"value: ""{{{prisma_access.event.pan_os_value.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1043,destination.user,- (?<prisma_access.event.pan_os_data.destination.user.domain>[^\\]*)[\\]*(?<prisma_access.event.pan_os_data.destination.user.name>[^\\]*)
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1048,prisma_access.event.pan_os_data.destination.user.name,target_field: prisma_access.event.pan_os_data.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1054,prisma_access.event.pan_os_data.destination.user.name,target_field: prisma_access.event.pan_os_data.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1057,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1059,destination.user,"value: ""{{{prisma_access.event.pan_os_data.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1063,destination.user.name,field: destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1065,destination.user,"value: ""{{{prisma_access.event.pan_os_data.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1071,destination.user,"value: ""{{{prisma_access.event.pan_os_data.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1077,prisma_access.event.pan_os.destination.user.domain,target_field: prisma_access.event.pan_os.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1080,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1082,destination.user,"value: ""{{{prisma_access.event.pan_os.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1088,prisma_access.event.destination.user.id,target_field: prisma_access.event.destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1091,destination.user.id,field: destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1093,destination.user,"value: ""{{{prisma_access.event.destination.user.id}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1099,destination.user,"value: ""{{{prisma_access.event.destination.user.id}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1107,destination.user,- (?<prisma_access.event.destination.user.domain>[^\\]*)[\\]*(?<prisma_access.event.destination.user.name>[^\\]*)
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1112,prisma_access.event.destination.user.name,target_field: prisma_access.event.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1118,prisma_access.event.destination.user.name,target_field: prisma_access.event.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1121,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1123,destination.user,"value: ""{{{prisma_access.event.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1127,destination.user.name,field: destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1129,destination.user,"value: ""{{{prisma_access.event.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1135,destination.user,"value: ""{{{prisma_access.event.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1141,prisma_access.event.destination.user.uuid,target_field: prisma_access.event.destination.user.uuid
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1144,destination.user.id,field: destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1146,destination.user,"value: ""{{{prisma_access.event.destination.user.uuid}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1152,destination.user,"value: ""{{{prisma_access.event.destination.user.uuid}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5236,destination.user,- prisma_access.event.pan_os_value.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5237,destination.user,- prisma_access.event.pan_os_value.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5238,destination.user,- prisma_access.event.pan_os_data.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5239,destination.user,- prisma_access.event.pan_os_data.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5240,destination.user,- prisma_access.event.pan_os.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5241,destination.user,- prisma_access.event.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5242,destination.user,- prisma_access.event.destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5243,destination.user,- prisma_access.event.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5244,destination.user,- prisma_access.event.destination.user.uuid
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,107,destination.user.name,field: destination.user.name
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,115,destination.user.domain,field: destination.user.domain
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,123,destination.user.domain,field: destination.user.domain
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,131,destination.user.name,field: destination.user.name
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,136,destination.user,value: '{{{destination.user.name}}}'
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,141,destination.user,value: '{{{destination.user.domain}}}'
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml,107,destination.user.email,target_field: destination.user.email
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml,117,destination.user,"value: ""{{{destination.user.email}}}"""
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml,122,destination.user.email,target_field: destination.user.email
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml,132,destination.user,"value: ""{{{destination.user.email}}}"""
+swimlane,tenant_api,destination.user,packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml,178,destination.user.changes.id,target_field: destination.user.changes.id
+swimlane,tenant_api,destination.user,packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml,182,destination.user.changes.name,target_field: destination.user.changes.name
+swimlane,turbine_api,destination.user,packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml,195,destination.user.changes.id,target_field: destination.user.changes.id
+swimlane,turbine_api,destination.user,packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml,199,destination.user.changes.name,target_field: destination.user.changes.name
+trellix_epo_cloud,event,destination.user,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,178,destination.user.name,field: destination.user.name
+trellix_epo_cloud,event,destination.user,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,184,destination.user,value: '{{{destination.user.name}}}'
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,171,trend_micro_vision_one.detection.destination.user,target_field: trend_micro_vision_one.detection.destination.user
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1269,destination.user.name,field: destination.user.name
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1271,trend_micro_vision_one.detection.destination.user,copy_from: trend_micro_vision_one.detection.destination.user
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1597,trend_micro_vision_one.detection.destination.user,field: trend_micro_vision_one.detection.destination.user
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1789,destination.user,- trend_micro_vision_one.detection.destination.user
+trendmicro,deep_security,destination.user,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,687,destination.user.name,field: destination.user.name
+trendmicro,deep_security,destination.user,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,694,destination.user,value: '{{{destination.user.name}}}'
+tychon,arp,destination.host,packages/tychon/data_stream/arp/elasticsearch/ingest_pipeline/rest.yml,26,destination.host,"value: ""{{{tychon.destination.hostname}}}"""
+watchguard_firebox,log,destination.user,packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml,446,destination.user.name,field: destination.user.name
+watchguard_firebox,log,destination.user,packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml,451,destination.user.domain,field: destination.user.domain
+windows,forwarded,destination.user,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml,170,destination.user.domain,target_field: destination.user.domain
+windows,forwarded,destination.user,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml,176,destination.user.name,target_field: destination.user.name
+windows,powershell_operational,destination.user,packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml,170,destination.user.domain,target_field: destination.user.domain
+windows,powershell_operational,destination.user,packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml,176,destination.user.name,target_field: destination.user.name
+zoom,webhook,destination.user,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml,175,destination.user.id,field: destination.user.id
diff --git a/dev/target-fields-audit/out/destination_identity_review.md b/dev/target-fields-audit/out/destination_identity_review.md
new file mode 100644
index 00000000000..0029848fcd1
--- /dev/null
+++ b/dev/target-fields-audit/out/destination_identity_review.md
@@ -0,0 +1,348 @@
+# Destination identity review list
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-20T08:56:42Z
+- **integration packages scanned:** 445
+- **packages with `destination.user` in pipeline:** 29
+- **packages with `destination.host` / `destination.hostname` in pipeline:** 3
+- **packages with either:** 31
+- **evidence rows:** 202
+
+Use [`destination_identity_hits.csv`](destination_identity_hits.csv) for line-level evidence.
+
+## Package checklist (sorted A–Z)
+
+Review each integration: confirm whether `destination.user` / `destination.host`
+represents the **target** of the action (candidate for `user.target.*` / `host.target.*`)
+or only network/session context.
+
+| # | package | destination.user | destination.host | data_streams |
+| ---: | --- | :---: | :---: | --- |
+| 1 | abnormal_security | yes |  | ai_security_mailbox |
+| 2 | beyondtrust_pra | yes | yes | access_session |
+| 3 | cef | yes |  | log |
+| 4 | checkpoint | yes |  | firewall |
+| 5 | checkpoint_email | yes |  | event |
+| 6 | cisco_asa | yes |  | log |
+| 7 | cisco_ftd | yes |  | log |
+| 8 | citrix_adc | yes |  | log |
+| 9 | claroty_ctd |  | yes | event |
+| 10 | crowdstrike | yes |  | alert |
+| 11 | cyberark_pta | yes |  | events |
+| 12 | cyberarkpas | yes |  | audit |
+| 13 | fortinet_fortigate | yes |  | log |
+| 14 | google_secops | yes |  | alert |
+| 15 | jumpcloud | yes |  | events |
+| 16 | microsoft_exchange_online_message_trace | yes |  | log |
+| 17 | nozomi_networks | yes |  | alert |
+| 18 | o365 | yes |  | audit |
+| 19 | panw | yes |  | panos |
+| 20 | ping_federate | yes |  | audit |
+| 21 | prisma_access | yes |  | event |
+| 22 | sentinel_one_cloud_funnel | yes |  | event |
+| 23 | sophos | yes |  | xg |
+| 24 | swimlane | yes |  | tenant_api, turbine_api |
+| 25 | trellix_epo_cloud | yes |  | event |
+| 26 | trend_micro_vision_one | yes |  | detection |
+| 27 | trendmicro | yes |  | deep_security |
+| 28 | tychon |  | yes | arp |
+| 29 | watchguard_firebox | yes |  | log |
+| 30 | windows | yes |  | forwarded, powershell_operational |
+| 31 | zoom | yes |  | webhook |
+
+## Per-package detail
+
+### abnormal_security
+
+- **destination.user** — `destination.user` — `packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml:219` — data_stream: `ai_security_mailbox`
+- **destination.user** — `destination.user` — `packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml:220` — data_stream: `ai_security_mailbox`
+
+### beyondtrust_pra
+
+- **destination.host** — `json.destination.hostname` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:81` — data_stream: `access_session`
+- **destination.host** — `beyondtrust_pra.access_session.destination.hostname` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:83` — data_stream: `access_session`
+- **destination.host** — `beyondtrust_pra.access_session.destination.hostname` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:88` — data_stream: `access_session`
+- **destination.user** — `destination.user.id` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:96` — data_stream: `access_session`
+- **destination.user** — `destination.user.name` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:253` — data_stream: `access_session`
+- **destination.user** — `destination.user` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:993` — data_stream: `access_session`
+- **destination.user** — `destination.user` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:998` — data_stream: `access_session`
+- **destination.host** — `destination.host` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:1019` — data_stream: `access_session`
+
+### cef
+
+- **destination.user** — `destination.user` — `packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml:123` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml:292` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml:103` — data_stream: `log`
+
+### checkpoint
+
+- **destination.user** — `destination.user.name` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:378` — data_stream: `firewall`
+- **destination.user** — `destination.user.domain` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:383` — data_stream: `firewall`
+- **destination.user** — `destination.user.email` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:579` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:584` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:589` — data_stream: `firewall`
+- **destination.user** — `destination.user.id` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:634` — data_stream: `firewall`
+- **destination.user** — `destination.user.name` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:824` — data_stream: `firewall`
+- **destination.user** — `destination.user.email` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1515` — data_stream: `firewall`
+- **destination.user** — `destination.user.name` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1516` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1518` — data_stream: `firewall`
+- **destination.user** — `destination.user.email` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1520` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1521` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1529` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1535` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1541` — data_stream: `firewall`
+
+### checkpoint_email
+
+- **destination.user** — `destination.user.email` — `packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml:261` — data_stream: `event`
+- **destination.user** — `destination.user.email` — `packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml:267` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml:269` — data_stream: `event`
+
+### cisco_asa
+
+- **destination.user** — `destination.user.name` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2004` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2022` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2026` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2030` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2031` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2032` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3140` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3142` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3226` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3227` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3268` — data_stream: `log`
+
+### cisco_ftd
+
+- **destination.user** — `destination.user.name` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2176` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2202` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2206` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2210` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2211` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2212` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2995` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2997` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3116` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3117` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3158` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3159` — data_stream: `log`
+
+### citrix_adc
+
+- **destination.user** — `destination.user.domain` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/alg_feature.yml:79` — data_stream: `log`
+- **destination.user** — `destination.user.name` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/alg_feature.yml:84` — data_stream: `log`
+- **destination.user** — `destination.user.name` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml:413` — data_stream: `log`
+- **destination.user** — `destination.user.email` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml:414` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml:416` — data_stream: `log`
+- **destination.user** — `destination.user.email` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml:418` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml:419` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml:427` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml:433` — data_stream: `log`
+
+### claroty_ctd
+
+- **destination.host** — `claroty_ctd.event.destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:431` — data_stream: `event`
+- **destination.host** — `claroty_ctd.event.destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:436` — data_stream: `event`
+- **destination.host** — `destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:441` — data_stream: `event`
+- **destination.host** — `destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:2144` — data_stream: `event`
+
+### crowdstrike
+
+- **destination.user** — `destination.user.domain` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1931` — data_stream: `alert`
+- **destination.user** — `destination.user` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1938` — data_stream: `alert`
+- **destination.user** — `destination.user.name` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1947` — data_stream: `alert`
+- **destination.user** — `destination.user` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1954` — data_stream: `alert`
+
+### cyberark_pta
+
+- **destination.user** — `destination.user.name` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:87` — data_stream: `events`
+- **destination.user** — `destination.user.email` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:88` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:90` — data_stream: `events`
+- **destination.user** — `destination.user.email` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:92` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:93` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:100` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:106` — data_stream: `events`
+
+### cyberarkpas
+
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:504` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:522` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:612` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:752` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:771` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:792` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:815` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:848` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:867` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:886` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:907` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:935` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:950` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:1108` — data_stream: `audit`
+
+### fortinet_fortigate
+
+- **destination.user** — `destination.user` — `packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml:754` — data_stream: `log`
+- **destination.user** — `destination.user.name` — `packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml:117` — data_stream: `log`
+
+### google_secops
+
+- **destination.user** — `destination.user.email` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1403` — data_stream: `alert`
+- **destination.user** — `destination.user.group.id` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1458` — data_stream: `alert`
+- **destination.user** — `destination.user.name` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1464` — data_stream: `alert`
+- **destination.user** — `destination.user.id` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1469` — data_stream: `alert`
+
+### jumpcloud
+
+- **destination.user** — `destination.user` — `packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml:258` — data_stream: `events`
+
+### microsoft_exchange_online_message_trace
+
+- **destination.user** — `destination.user.id` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:131` — data_stream: `log`
+- **destination.user** — `destination.user.email` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:135` — data_stream: `log`
+- **destination.user** — `destination.user.name` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:310` — data_stream: `log`
+- **destination.user** — `destination.user.domain` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:314` — data_stream: `log`
+
+### nozomi_networks
+
+- **destination.user** — `destination.user.roles` — `packages/nozomi_networks/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:188` — data_stream: `alert`
+
+### o365
+
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1019` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1020` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1022` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1028` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1032` — data_stream: `audit`
+- **destination.user** — `destination.user.email` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1156` — data_stream: `audit`
+- **destination.user** — `destination.user.id` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1172` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1437` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1441` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1442` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1443` — data_stream: `audit`
+- **destination.user** — `destination.user.email` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1684` — data_stream: `audit`
+
+### panw
+
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1406` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1407` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1408` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1409` — data_stream: `panos`
+- **destination.user** — `panw.panos.destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1423` — data_stream: `panos`
+- **destination.user** — `destination.user.name` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1424` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1889` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1980` — data_stream: `panos`
+- **destination.user** — `destination.user.email` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml:235` — data_stream: `panos`
+
+### ping_federate
+
+- **destination.user** — `destination.user` — `packages/ping_federate/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:350` — data_stream: `audit`
+
+### prisma_access
+
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:940` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1007` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_value.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1012` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_value.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1018` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1021` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1023` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1027` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1029` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1035` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1043` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_data.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1048` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_data.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1054` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1057` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1059` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1063` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1065` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1071` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os.destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1077` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1080` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1082` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.id` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1088` — data_stream: `event`
+- **destination.user** — `destination.user.id` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1091` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1093` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1099` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1107` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1112` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1118` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1121` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1123` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1127` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1129` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1135` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.uuid` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1141` — data_stream: `event`
+- **destination.user** — `destination.user.id` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1144` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1146` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1152` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5236` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5237` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5238` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5239` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5240` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5241` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5242` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5243` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5244` — data_stream: `event`
+
+### sentinel_one_cloud_funnel
+
+- **destination.user** — `destination.user.name` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:107` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:115` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:123` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:131` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:136` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:141` — data_stream: `event`
+
+### sophos
+
+- **destination.user** — `destination.user.email` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml:107` — data_stream: `xg`
+- **destination.user** — `destination.user` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml:117` — data_stream: `xg`
+- **destination.user** — `destination.user.email` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml:122` — data_stream: `xg`
+- **destination.user** — `destination.user` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml:132` — data_stream: `xg`
+
+### swimlane
+
+- **destination.user** — `destination.user.changes.id` — `packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml:178` — data_stream: `tenant_api`
+- **destination.user** — `destination.user.changes.name` — `packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml:182` — data_stream: `tenant_api`
+- **destination.user** — `destination.user.changes.id` — `packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml:195` — data_stream: `turbine_api`
+- **destination.user** — `destination.user.changes.name` — `packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml:199` — data_stream: `turbine_api`
+
+### trellix_epo_cloud
+
+- **destination.user** — `destination.user.name` — `packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml:178` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml:184` — data_stream: `event`
+
+### trend_micro_vision_one
+
+- **destination.user** — `trend_micro_vision_one.detection.destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:171` — data_stream: `detection`
+- **destination.user** — `destination.user.name` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1269` — data_stream: `detection`
+- **destination.user** — `trend_micro_vision_one.detection.destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1271` — data_stream: `detection`
+- **destination.user** — `trend_micro_vision_one.detection.destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1597` — data_stream: `detection`
+- **destination.user** — `destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1789` — data_stream: `detection`
+
+### trendmicro
+
+- **destination.user** — `destination.user.name` — `packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:687` — data_stream: `deep_security`
+- **destination.user** — `destination.user` — `packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:694` — data_stream: `deep_security`
+
+### tychon
+
+- **destination.host** — `destination.host` — `packages/tychon/data_stream/arp/elasticsearch/ingest_pipeline/rest.yml:26` — data_stream: `arp`
+
+### watchguard_firebox
+
+- **destination.user** — `destination.user.name` — `packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml:446` — data_stream: `log`
+- **destination.user** — `destination.user.domain` — `packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml:451` — data_stream: `log`
+
+### windows
+
+- **destination.user** — `destination.user.domain` — `packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml:170` — data_stream: `forwarded`
+- **destination.user** — `destination.user.name` — `packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml:176` — data_stream: `forwarded`
+- **destination.user** — `destination.user.domain` — `packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml:170` — data_stream: `powershell_operational`
+- **destination.user** — `destination.user.name` — `packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml:176` — data_stream: `powershell_operational`
+
+### zoom
+
+- **destination.user** — `destination.user.id` — `packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml:175` — data_stream: `webhook`
diff --git a/dev/target-fields-audit/out/packages_stakeholder_matrix.csv b/dev/target-fields-audit/out/packages_stakeholder_matrix.csv
new file mode 100644
index 00000000000..c13a9cf303c
--- /dev/null
+++ b/dev/target-fields-audit/out/packages_stakeholder_matrix.csv
@@ -0,0 +1,446 @@
+package,security category,observability category,graph visualization support,new strategy support (destination field),support verified,other catalog categories
+1password,Y,N,missing,N,N,credential_management
+abnormal_security,Y,N,identified potential,Y,N,email_security; threat_intel
+activemq,N,Y,missing,N,N,message_queue; monitoring; infrastructure
+activemq_otel,N,Y,missing,N,N,message_queue; opentelemetry
+admin_by_request_epm,Y,N,missing,N,N,iam; credential_management
+agentless_hello_world,N,Y,missing,N,N,
+airflow,N,Y,missing,N,N,process_manager
+airflow_otel,N,Y,missing,N,N,opentelemetry; process_manager
+airlock_digital,Y,N,identified potential,N,N,
+akamai,Y,N,missing,N,N,cdn_security
+amazon_security_lake,Y,N,supported,N,N,aws; siem
+apache,N,Y,missing,N,N,web
+apache_input_otel,N,Y,missing,N,N,web; opentelemetry
+apache_otel,N,Y,missing,N,N,web; opentelemetry
+apache_spark,N,Y,identified potential,N,N,analytics_engine; big_data; stream_processing
+apache_tomcat,N,Y,missing,N,N,web; application_observability
+apache_tomcat_otel,N,Y,missing,N,N,web; application_observability; opentelemetry
+apm,N,Y,missing,N,N,elastic_stack; monitoring
+arista_ngfw,Y,N,missing,N,N,network; network_security; firewall_security; ids_ips
+armis,Y,N,missing,N,N,vulnerability_management; network_security
+atlassian_bitbucket,Y,N,supported,N,N,productivity_security
+atlassian_confluence,Y,N,supported,N,N,productivity_security
+atlassian_jira,Y,N,supported,N,N,productivity_security
+auditd,Y,N,identified potential,N,N,auditd
+auditd_manager,Y,N,identified potential,N,N,auditd
+auth0,Y,N,missing,N,N,iam
+authentik,Y,N,missing,N,N,iam
+aws,Y,Y,supported,N,N,aws; cloud; containers; network; datastore
+aws_bedrock,Y,Y,missing,N,N,aws; cloud
+aws_bedrock_agentcore,N,Y,missing,N,N,aws; cloud
+aws_billing,N,Y,missing,N,N,aws; cloud
+aws_cloudtrail_otel,N,Y,missing,N,N,aws; cloud; web; opentelemetry
+aws_elb_otel,N,Y,missing,N,N,aws; cloud; web; opentelemetry
+aws_logs,N,Y,missing,N,N,cloud; custom; aws
+aws_mq,N,Y,missing,N,N,aws; cloud; message_queue
+aws_securityhub,Y,N,identified potential,N,N,aws; cloudsecurity_cdr; vulnerability_workflow
+aws_vpcflow_otel,N,Y,missing,N,N,aws; cloud; web; opentelemetry
+aws_waf_otel,Y,Y,missing,N,N,aws; cloud; web; opentelemetry; web_application_firewall
+awsfargate,N,Y,missing,N,N,cloud; aws
+awsfirehose,N,Y,missing,N,N,cloud; aws
+azure,Y,Y,identified potential,N,N,cloud; azure
+azure_activity_otel,N,Y,missing,N,N,azure; cloud; opentelemetry
+azure_ai_foundry,Y,Y,missing,N,N,azure; cloud
+azure_app_service,Y,Y,missing,N,N,azure; cloud
+azure_application_insights,N,Y,missing,N,N,azure; cloud
+azure_billing,N,Y,missing,N,N,cloud; azure
+azure_blob_storage,N,Y,missing,N,N,azure; cloud; custom
+azure_frontdoor,Y,Y,missing,N,N,azure; cloud; network; web
+azure_functions,N,Y,missing,N,N,azure; cloud
+azure_logs,N,Y,missing,N,N,azure; custom
+azure_metrics,N,Y,missing,N,N,cloud; azure; custom; containers; datastore
+azure_network_watcher_nsg,Y,N,missing,N,N,cloud; azure
+azure_network_watcher_vnet,Y,N,identified potential,N,N,cloud; azure
+azure_openai,Y,Y,missing,N,N,azure; cloud
+barracuda,Y,N,missing,N,N,network; web_application_firewall
+barracuda_cloudgen_firewall,Y,N,missing,N,N,network; firewall_security
+bbot,Y,N,identified potential,N,N,
+beaconing,Y,N,missing,N,N,advanced_analytics_ueba; network_security
+beat,N,N,missing,N,N,
+beelzebub,Y,N,missing,N,N,network; threat_intel
+beyondinsight_password_safe,Y,N,missing,N,N,credential_management; iam
+beyondtrust_pra,Y,N,identified potential,Y,N,iam; network_security
+bitdefender,Y,N,identified potential,N,N,edr_xdr
+bitsight,Y,N,missing,N,N,custom
+bitwarden,Y,N,missing,N,N,credential_management
+blacklens,Y,N,missing,N,N,vulnerability_management
+bluecoat,Y,N,missing,N,N,network; proxy_security
+box_events,Y,N,supported,N,N,productivity_security
+canva,Y,N,supported,N,N,productivity; iam
+carbon_black_cloud,Y,N,identified potential,N,N,edr_xdr
+carbonblack_edr,Y,N,missing,N,N,edr_xdr
+cassandra,N,Y,missing,N,N,datastore
+cassandra_otel,N,Y,missing,N,N,datastore; opentelemetry
+cef,Y,N,identified potential,Y,N,custom; network_security
+cel,N,N,missing,N,N,custom
+ceph,N,Y,missing,N,N,datastore; os_system
+checkpoint,Y,N,identified potential,Y,N,network; firewall_security
+checkpoint_email,Y,N,identified potential,Y,N,email_security
+checkpoint_harmony_endpoint,Y,N,missing,N,N,edr_xdr
+cisa_kevs,Y,N,missing,N,N,vulnerability_management
+cisco_aironet,Y,N,missing,N,N,network
+cisco_asa,Y,N,identified potential,Y,N,network; firewall_security
+cisco_duo,Y,N,supported,N,N,iam
+cisco_ftd,Y,N,identified potential,Y,N,network; firewall_security
+cisco_ios,Y,N,missing,N,N,network
+cisco_ise,Y,N,identified potential,N,N,network; iam
+cisco_meraki,Y,N,missing,N,N,network; cloud
+cisco_meraki_metrics,Y,Y,missing,N,N,network
+cisco_nexus,Y,N,missing,N,N,network
+cisco_secure_email_gateway,Y,N,missing,N,N,network; email_security
+cisco_secure_endpoint,Y,N,missing,N,N,edr_xdr
+cisco_umbrella,Y,N,missing,N,N,network; dns_security
+citrix_adc,N,Y,identified potential,Y,N,network
+citrix_waf,Y,N,missing,N,N,network; web_application_firewall
+claroty_ctd,Y,N,identified potential,Y,N,
+claroty_xdome,Y,N,missing,N,N,vulnerability_management
+cloud_asset_inventory,Y,N,missing,N,N,asset_inventory; cloudsecurity_cdr; cloud
+cloud_defend,Y,Y,missing,N,N,containers; kubernetes
+cloud_security_posture,Y,Y,missing,N,N,cloudsecurity_cdr; misconfiguration_workflow; vulnerability_workflow; containers; google_cloud; aws; cloud
+cloudflare,Y,N,missing,N,N,network; cdn_security
+cloudflare_logpush,Y,N,missing,N,N,network; cdn_security
+cockroachdb,N,Y,missing,N,N,datastore
+cockroachdb_otel,N,Y,missing,N,N,datastore; opentelemetry
+containerd,N,Y,missing,N,N,containers
+coredns,N,Y,missing,N,N,
+corelight,Y,N,missing,N,N,dns_security; network; network_security; vpn_security
+couchbase,N,Y,missing,N,N,datastore
+couchdb,N,Y,missing,N,N,datastore
+couchdb_otel,N,Y,missing,N,N,datastore; opentelemetry
+cribl,N,N,missing,N,N,custom
+crowdstrike,Y,N,supported,Y,N,edr_xdr
+cyberark_epm,Y,N,identified potential,N,N,
+cyberark_pta,Y,N,identified potential,Y,N,iam
+cyberarkpas,Y,N,supported,Y,N,iam
+cybereason,Y,N,missing,N,N,edr_xdr
+cyera,Y,N,identified potential,N,N,
+cylance,Y,N,missing,N,N,edr_xdr
+darktrace,Y,N,missing,N,N,network_security
+dataminr_pulse,Y,N,missing,N,N,threat_intel
+ded,Y,N,missing,N,N,network; advanced_analytics_ueba
+dga,Y,N,missing,N,N,network_security; advanced_analytics_ueba
+digital_guardian,Y,N,missing,N,N,network
+docker,N,Y,missing,N,N,containers
+docker_input_otel,N,Y,missing,N,N,containers; monitoring; opentelemetry
+docker_otel,N,Y,missing,N,N,containers; monitoring; opentelemetry
+ece,N,N,missing,N,N,elastic_stack
+elastic_agent,N,N,missing,N,N,elastic_stack
+elastic_connectors,N,N,missing,N,N,connector; enterprise_search
+elastic_package_registry,N,N,missing,N,N,elastic_stack
+elastic_security,Y,N,missing,N,N,siem
+elasticapm_input_otel,N,Y,missing,N,N,monitoring; opentelemetry
+elasticsearch,N,N,missing,N,N,elastic_stack; datastore
+endace,N,N,missing,N,N,aws; cloud; custom; network
+enterprisesearch,N,N,missing,N,N,
+entityanalytics_ad,Y,N,missing,N,N,
+entityanalytics_entra_id,Y,N,missing,N,N,azure; cloud
+entityanalytics_okta,Y,N,missing,N,N,
+entro,Y,N,missing,N,N,cloud
+envoyproxy,N,Y,missing,N,N,
+envoyproxy_otel,N,Y,missing,N,N,opentelemetry
+eset_protect,Y,N,identified potential,N,N,edr_xdr
+ess_billing,N,N,missing,N,N,cloud
+etcd,N,Y,missing,N,N,datastore
+etcd_otel,N,Y,missing,N,N,datastore; opentelemetry
+extrahop,Y,N,missing,N,N,
+f5_bigip,Y,N,missing,N,N,
+falco,Y,Y,missing,N,N,containers; kubernetes; monitoring
+filelog_otel,N,N,missing,N,N,custom; custom_logs; opentelemetry
+filestream,N,N,missing,N,N,custom; custom_logs
+fim,Y,N,identified potential,N,N,
+fireeye,Y,N,missing,N,N,network
+first_epss,Y,N,missing,N,N,vulnerability_management
+fleet_server,N,N,missing,N,N,elastic_stack
+forcepoint_web,Y,N,missing,N,N,network
+forescout,Y,N,missing,N,N,
+forgerock,Y,N,identified potential,N,N,
+fortinet_forticlient,Y,N,missing,N,N,edr_xdr
+fortinet_fortiedr,Y,N,missing,N,N,edr_xdr
+fortinet_fortigate,Y,N,identified potential,Y,N,network; firewall_security
+fortinet_fortimail,Y,N,missing,N,N,email_security
+fortinet_fortimanager,Y,N,missing,N,N,network; firewall_security
+fortinet_fortiproxy,Y,Y,missing,N,N,network; proxy_security; web
+gcp,Y,Y,supported,N,N,google_cloud; cloud; containers; datastore
+gcp_audit_otel,Y,Y,missing,N,N,google_cloud; cloud; opentelemetry
+gcp_metrics,N,Y,missing,N,N,cloud; google_cloud; custom
+gcp_pubsub,N,Y,missing,N,N,google_cloud; cloud; custom
+gcp_vertexai,N,Y,missing,N,N,cloud; google_cloud
+gcp_vpcflow_otel,N,Y,missing,N,N,google_cloud; cloud; web; opentelemetry
+gigamon,Y,Y,missing,N,N,custom; network; application_observability
+github,Y,N,supported,N,N,productivity_security
+gitlab,Y,N,identified potential,N,N,productivity_security
+goflow2,N,N,missing,N,N,network
+golang,N,Y,missing,N,N,
+google_cloud_storage,N,N,missing,N,N,custom; cloud
+google_scc,Y,N,identified potential,N,N,google_cloud; cloudsecurity_cdr; vulnerability_workflow; misconfiguration_workflow
+google_secops,Y,N,identified potential,Y,N,google_cloud; siem
+google_workspace,Y,N,supported,N,N,productivity_security
+grafana,N,Y,missing,N,N,monitoring
+greenhouse,Y,N,identified potential,N,N,
+hadoop,N,Y,missing,N,N,datastore; big_data
+haproxy,N,Y,missing,N,N,load_balancer
+haproxy_otel,N,Y,missing,N,N,web; opentelemetry
+hashicorp_vault,Y,N,missing,N,N,iam
+hid_bravura_monitor,Y,N,identified potential,N,N,iam
+hostmetrics_input_otel,N,Y,missing,N,N,monitoring; os_system; opentelemetry
+hpe_aruba_cx,Y,N,supported,N,N,config_management; network
+hta,Y,N,missing,N,N,
+http_endpoint,N,Y,missing,N,N,custom
+httpcheck_otel,N,N,missing,N,N,monitoring; network; opentelemetry; web
+httpjson,N,N,missing,N,N,custom
+ibm_qradar,Y,N,missing,N,N,siem
+ibmmq,N,Y,missing,N,N,message_queue
+ibmmq_otel,N,Y,missing,N,N,message_queue; opentelemetry
+iis,N,Y,missing,N,N,web
+iis_input_otel,N,Y,missing,N,N,web; opentelemetry
+iis_otel,N,Y,missing,N,N,web; opentelemetry
+imperva,Y,N,missing,N,N,network
+imperva_cloud_waf,Y,N,missing,N,N,
+influxdb,N,Y,missing,N,N,datastore
+influxdb_otel,N,Y,missing,N,N,datastore; opentelemetry
+infoblox_bloxone_ddi,Y,N,identified potential,N,N,network; dns_security
+infoblox_nios,Y,N,missing,N,N,network; dns_security
+infoblox_threat_defense,Y,N,missing,N,N,
+iptables,Y,N,missing,N,N,network
+ironscales,Y,N,missing,N,N,
+island_browser,Y,N,missing,N,N,
+istio,N,Y,missing,N,N,network; containers; kubernetes
+jaeger_input_otel,N,Y,missing,N,N,opentelemetry
+jamf_compliance_reporter,Y,N,identified potential,N,N,
+jamf_pro,N,N,identified potential,N,N,cloud; custom
+jamf_protect,Y,N,identified potential,N,N,edr_xdr
+jolokia_input,N,Y,missing,N,N,custom
+journald,N,Y,missing,N,N,custom
+jumpcloud,Y,N,identified potential,Y,N,cloud
+juniper_junos,Y,N,missing,N,N,network
+juniper_netscreen,Y,N,missing,N,N,network; firewall_security
+juniper_srx,Y,N,missing,N,N,network; firewall_security
+jupiter_one,Y,N,identified potential,N,N,
+kafka,N,Y,missing,N,N,stream_processing
+kafka_connect,N,Y,missing,N,N,message_queue; monitoring; infrastructure
+kafka_input_otel,N,Y,missing,N,N,message_queue; opentelemetry
+kafka_log,N,Y,missing,N,N,custom
+kafka_otel,N,Y,missing,N,N,message_queue; opentelemetry
+keeper_security_siem_integration,Y,N,missing,N,N,authentication; custom
+keycloak,Y,N,supported,N,N,iam
+kibana,N,N,missing,N,N,elastic_stack
+kubeletstats_input_otel,N,Y,missing,N,N,containers; kubernetes; opentelemetry
+kubernetes,N,Y,missing,N,N,containers; kubernetes
+kubernetes_otel,N,Y,missing,N,N,kubernetes; opentelemetry
+lastpass,Y,N,missing,N,N,credential_management
+linux,N,N,missing,N,N,os_system
+lmd,Y,N,missing,N,N,advanced_analytics_ueba
+log,N,N,missing,N,N,custom; custom_logs
+logstash,N,Y,missing,N,N,elastic_stack
+lumos,Y,N,identified potential,N,N,
+lyve_cloud,Y,N,missing,N,N,
+m365_defender,Y,N,identified potential,N,N,edr_xdr; vulnerability_workflow; cloudsecurity_cdr
+macos,Y,N,missing,N,N,
+mattermost,Y,N,supported,N,N,productivity_security
+memcached,N,Y,missing,N,N,
+memcached_otel,N,Y,missing,N,N,opentelemetry
+menlo,Y,Y,missing,N,N,monitoring; network
+microsoft_defender_cloud,Y,N,identified potential,N,N,cloudsecurity_cdr; vulnerability_workflow; misconfiguration_workflow
+microsoft_defender_endpoint,Y,N,missing,N,N,edr_xdr; siem; vulnerability_workflow; cloudsecurity_cdr
+microsoft_dhcp,Y,N,missing,N,N,network
+microsoft_dnsserver,Y,N,missing,N,N,network
+microsoft_exchange_online_message_trace,Y,N,identified potential,Y,N,email_security
+microsoft_exchange_server,Y,N,missing,N,N,email_security
+microsoft_intune,Y,N,identified potential,N,N,azure
+microsoft_sentinel,Y,N,missing,N,N,azure; siem
+microsoft_sqlserver,Y,Y,supported,N,N,database_security
+microsoft_sqlserver_otel,N,Y,missing,N,N,datastore; opentelemetry
+mimecast,Y,N,identified potential,N,N,email_security
+miniflux,N,Y,missing,N,N,web
+modsecurity,Y,N,missing,N,N,network; web_application_firewall
+mongodb,N,Y,missing,N,N,datastore
+mongodb_atlas,Y,Y,identified potential,N,N,cloud; datastore; database_security
+mongodb_otel,N,Y,missing,N,N,datastore; opentelemetry
+mysql,N,Y,missing,N,N,datastore
+mysql_enterprise,Y,Y,supported,N,N,datastore; database_security
+mysql_input_otel,N,Y,missing,N,N,datastore; opentelemetry
+mysql_otel,N,Y,missing,N,N,datastore; opentelemetry
+nagios_xi,N,Y,missing,N,N,monitoring
+nats,N,Y,missing,N,N,message_queue; stream_processing
+neon_cyber,Y,N,missing,N,N,edr_xdr
+netbox,Y,N,missing,N,N,network; web
+netflow,Y,N,identified potential,N,N,network
+netscout,Y,N,missing,N,N,network
+netskope,Y,N,supported,N,N,network
+network_traffic,Y,N,missing,N,N,network
+nextron_thor,Y,N,missing,N,N,
+nginx,N,Y,missing,N,N,web
+nginx_ingress_controller,N,Y,missing,N,N,containers; kubernetes
+nginx_ingress_controller_otel,N,Y,missing,N,N,containers; kubernetes; opentelemetry
+nginx_input_otel,N,Y,missing,N,N,web; opentelemetry
+nginx_otel,N,Y,missing,N,N,web; opentelemetry
+nozomi_networks,Y,N,identified potential,Y,N,network
+nvidia_gpu,N,Y,missing,N,N,cloud; custom; kubernetes; os_system
+nvidia_gpu_otel,N,Y,missing,N,N,cloud; opentelemetry; os_system
+o365,Y,Y,supported,Y,N,productivity_security; iam
+o365_metrics,Y,Y,missing,N,N,
+okta,Y,N,supported,N,N,iam
+openai,N,Y,missing,N,N,monitoring
+opencanary,Y,N,missing,N,N,
+oracle,Y,Y,identified potential,N,N,datastore; database_security
+oracle_otel,N,Y,missing,N,N,message_queue; opentelemetry
+oracle_weblogic,N,Y,missing,N,N,web
+osquery,Y,N,missing,N,N,
+osquery_manager,Y,N,identified potential,N,N,
+otel_android_dashboards,N,Y,missing,N,N,application_observability; opentelemetry
+otel_collector_internal_telemetry,N,Y,missing,N,N,monitoring; opentelemetry
+otel_rum_dashboards,N,Y,missing,N,N,web; opentelemetry
+otlp_input_otel,N,Y,missing,N,N,opentelemetry
+pad,Y,N,identified potential,N,N,advanced_analytics_ueba
+panw,Y,N,identified potential,Y,N,network
+panw_cortex_xdr,Y,N,missing,N,N,edr_xdr
+panw_metrics,Y,Y,missing,N,N,network; network_security
+pfsense,Y,N,missing,N,N,network; firewall_security; network_security
+php_fpm,N,Y,missing,N,N,process_manager
+ping_federate,Y,N,identified potential,Y,N,authentication; iam
+ping_one,Y,N,missing,N,N,iam
+platform_observability,N,Y,missing,N,N,elastic_stack; monitoring
+postgresql,N,Y,missing,N,N,datastore
+postgresql_otel,N,Y,missing,N,N,datastore; opentelemetry
+pps,Y,N,identified potential,N,N,custom; productivity
+prisma_access,Y,N,identified potential,Y,N,network
+prisma_cloud,Y,N,missing,N,N,cloudsecurity_cdr; misconfiguration_workflow; vulnerability_workflow
+problemchild,Y,N,missing,N,N,advanced_analytics_ueba
+profiling_otel,N,Y,missing,N,N,custom; opentelemetry
+profilingmetrics_otel,N,Y,missing,N,N,custom; opentelemetry
+prometheus,N,Y,missing,N,N,monitoring; containers
+prometheus_input,N,Y,missing,N,N,monitoring; containers; custom
+prometheus_input_otel,N,Y,missing,N,N,monitoring; opentelemetry
+prometheus_input_otel_raw,N,Y,missing,N,N,monitoring; opentelemetry
+proofpoint_365totalprotection,Y,N,missing,N,N,email_security
+proofpoint_essentials,Y,N,missing,N,N,
+proofpoint_itm,Y,N,identified potential,N,N,
+proofpoint_on_demand,Y,N,missing,N,N,
+proofpoint_tap,Y,N,missing,N,N,email_security
+proxysg,Y,N,missing,N,N,network
+pulse_connect_secure,Y,N,missing,N,N,vpn_security
+qnap_nas,Y,N,supported,N,N,
+qualys_gav,Y,N,missing,N,N,
+qualys_vmdr,Y,N,missing,N,N,vulnerability_management; vulnerability_workflow; cloudsecurity_cdr
+qualys_was,Y,N,missing,N,N,vulnerability_management
+rabbitmq,N,Y,missing,N,N,message_queue
+rabbitmq_otel,N,Y,missing,N,N,message_queue; opentelemetry
+radware,Y,N,missing,N,N,
+rapid7_insightvm,Y,N,missing,N,N,vulnerability_management; vulnerability_workflow; cloudsecurity_cdr
+redis,N,Y,missing,N,N,datastore
+redis_input_otel,N,Y,missing,N,N,datastore; opentelemetry
+redis_otel,N,Y,missing,N,N,datastore; opentelemetry
+redisenterprise,N,Y,missing,N,N,datastore
+redisenterprise_otel,N,Y,missing,N,N,datastore; opentelemetry
+rubrik,N,Y,missing,N,N,
+sailpoint_identity_sc,Y,N,identified potential,N,N,iam
+salesforce,N,Y,missing,N,N,crm
+santa,Y,N,missing,N,N,
+security_ai_prompts,Y,N,missing,N,N,
+security_detection_engine,Y,N,identified potential,N,N,siem
+sentinel_one,Y,N,identified potential,N,N,edr_xdr
+sentinel_one_cloud_funnel,Y,N,identified potential,Y,N,edr_xdr
+servicenow,Y,N,missing,N,N,
+slack,Y,N,missing,N,N,productivity
+snort,Y,N,missing,N,N,ids_ips; network_security
+snyk,Y,N,identified potential,N,N,cloudsecurity_cdr; vulnerability_management
+sonicwall_firewall,Y,N,missing,N,N,network; firewall_security; network_security
+sophos,Y,N,identified potential,Y,N,network; firewall_security
+sophos_central,Y,N,missing,N,N,edr_xdr
+splunk,Y,N,identified potential,N,N,siem
+spring_boot,N,Y,missing,N,N,java_observability
+spycloud,Y,N,identified potential,N,N,
+sql_input,N,Y,missing,N,N,custom
+sql_server_input_otel,N,Y,missing,N,N,datastore; opentelemetry
+squid,Y,Y,missing,N,N,network; proxy_security; web
+stan,N,Y,missing,N,N,stream_processing
+statsd_input,N,Y,missing,N,N,custom
+statsd_input_otel,N,Y,missing,N,N,opentelemetry; custom
+stormshield,Y,N,missing,N,N,network; firewall_security; network_security
+sublime_security,Y,N,missing,N,N,email_security
+suricata,Y,N,identified potential,N,N,network; ids_ips; network_security
+swimlane,Y,N,identified potential,Y,N,
+symantec_endpoint,Y,N,missing,N,N,edr_xdr
+symantec_endpoint_security,Y,N,missing,N,N,edr_xdr
+synthetics,N,Y,missing,N,N,monitoring
+synthetics_dashboards,N,Y,missing,N,N,
+sysdig,Y,Y,identified potential,N,N,containers; kubernetes; monitoring
+syslog_router,N,N,missing,N,N,custom
+sysmon_linux,Y,N,identified potential,N,N,os_system
+system,N,Y,supported,N,N,os_system; monitoring
+system_audit,N,N,missing,N,N,custom; os_system
+system_otel,N,Y,missing,N,N,os_system; monitoring; opentelemetry
+tanium,Y,N,identified potential,N,N,
+tcp,N,N,missing,N,N,custom; custom_logs
+teleport,Y,Y,identified potential,N,N,monitoring; network
+tenable_io,Y,N,supported,N,N,vulnerability_management; vulnerability_workflow; cloudsecurity_cdr
+tenable_ot_security,Y,N,missing,N,N,
+tenable_sc,Y,N,missing,N,N,vulnerability_management
+tencent_cloud,Y,Y,missing,N,N,iam; cloud
+tetragon,Y,Y,missing,N,N,cloud; cloudsecurity_cdr; kubernetes
+threat_map,Y,N,missing,N,N,custom; network_security
+thycotic_ss,Y,N,missing,N,N,credential_management
+ti_abusech,Y,N,missing,N,N,threat_intel
+ti_anomali,Y,N,missing,N,N,threat_intel
+ti_anyrun,Y,N,missing,N,N,threat_intel
+ti_cif3,Y,N,missing,N,N,threat_intel
+ti_crowdstrike,Y,N,identified potential,N,N,threat_intel
+ti_custom,Y,N,missing,N,N,custom; threat_intel
+ti_cybersixgill,Y,N,missing,N,N,threat_intel
+ti_cyware_intel_exchange,Y,N,missing,N,N,threat_intel
+ti_domaintools,Y,N,missing,N,N,threat_intel
+ti_eclecticiq,Y,N,missing,N,N,threat_intel
+ti_eset,Y,N,missing,N,N,threat_intel
+ti_flashpoint,Y,N,missing,N,N,threat_intel
+ti_google_threat_intelligence,Y,N,missing,N,N,threat_intel
+ti_greynoise,Y,N,missing,N,N,threat_intel
+ti_maltiverse,Y,N,missing,N,N,threat_intel
+ti_mandiant_advantage,Y,N,missing,N,N,threat_intel
+ti_misp,Y,N,missing,N,N,threat_intel
+ti_opencti,Y,N,missing,N,N,threat_intel
+ti_otx,Y,N,missing,N,N,threat_intel
+ti_rapid7_threat_command,Y,N,missing,N,N,threat_intel; vulnerability_management
+ti_recordedfuture,Y,N,missing,N,N,threat_intel
+ti_strider,Y,N,missing,N,N,
+ti_threatconnect,Y,N,missing,N,N,threat_intel
+ti_threatq,Y,N,missing,N,N,threat_intel
+ti_util,Y,N,missing,N,N,threat_intel
+tines,Y,N,missing,N,N,cloud
+tomcat,N,Y,missing,N,N,web; application_observability
+traefik,N,Y,missing,N,N,web; load_balancer; network
+traefik_otel,N,Y,missing,N,N,opentelemetry; web; load_balancer; network
+trellix_edr_cloud,Y,N,identified potential,N,N,cloud; edr_xdr; siem
+trellix_epo_cloud,Y,N,identified potential,Y,N,edr_xdr; siem
+trend_micro_vision_one,Y,N,supported,Y,N,edr_xdr; siem; network; network_security
+trendmicro,Y,N,identified potential,Y,N,network; edr_xdr; siem
+tychon,Y,N,identified potential,Y,N,config_management; vulnerability_management; siem; edr_xdr
+udp,N,N,missing,N,N,custom; custom_logs; network
+unifiedlogs,Y,Y,missing,N,N,custom; os_system
+universal_profiling_agent,N,Y,missing,N,N,elastic_stack; monitoring
+universal_profiling_collector,N,Y,missing,N,N,elastic_stack; monitoring
+universal_profiling_symbolizer,N,Y,missing,N,N,elastic_stack; monitoring
+varonis,Y,N,missing,N,N,siem
+vectra_detect,Y,N,supported,N,N,network_security; siem
+vectra_rux,Y,N,missing,N,N,edr_xdr; siem
+verifier_otel,Y,N,missing,N,N,monitoring; opentelemetry; cloud
+vsphere,N,Y,missing,N,N,virtualization; cloud
+vsphere_otel,N,Y,missing,N,N,opentelemetry; virtualization
+watchguard_firebox,Y,N,identified potential,Y,N,network; firewall_security; siem
+websocket,N,N,missing,N,N,custom; network
+websphere_application_server,N,Y,missing,N,N,websphere; application_observability
+windows,Y,Y,supported,Y,N,os_system
+windows_etw,Y,Y,missing,N,N,custom; os_system
+winlog,Y,Y,identified potential,N,N,custom; os_system
+withsecure_elements,Y,N,identified potential,N,N,edr_xdr
+wiz,Y,N,missing,N,N,cloudsecurity_cdr; vulnerability_workflow; misconfiguration_workflow; cloud; siem
+wmi,N,Y,missing,N,N,custom
+zeek,Y,N,missing,N,N,network
+zerofox,Y,N,missing,N,N,siem; threat_intel
+zeronetworks,Y,N,missing,N,N,siem; network_security
+zipkin_input_otel,N,Y,missing,N,N,opentelemetry
+zookeeper,N,Y,missing,N,N,message_queue
+zookeeper_otel,N,Y,missing,N,N,opentelemetry
+zoom,Y,Y,supported,Y,N,productivity_security
+zscaler_zia,Y,N,missing,N,N,network; siem
+zscaler_zpa,Y,N,supported,N,N,network; vpn_security; siem
diff --git a/dev/target-fields-audit/out/pilot/target_fields_audit.csv b/dev/target-fields-audit/out/pilot/target_fields_audit.csv
new file mode 100644
index 00000000000..29a2c202a4a
--- /dev/null
+++ b/dev/target-fields-audit/out/pilot/target_fields_audit.csv
@@ -0,0 +1,42 @@
+tier,package,data_stream,file,line,matched_prefix,snippet
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,545,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,561,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,577,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,592,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,637,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,654,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,669,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,684,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,695,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,706,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,717,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,728,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,739,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,1114,user.target.,value: '{{{user.target.name}}}'
+A,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,153,user.target.,- '(?i)(?:CREATE|DROP)\s+USER(?:\s+IF\s+(?:NOT\s+)?EXISTS)?\s+(?:%{START_QUOTE}%{QUOTED:user.target.name}%{END_QUOTE}|%{UNQUOTED:user.target.name})(?:@(?:%{START_QUOTE}%{QUOTED:user.target.domain}%{END_QUOTE}|%{UNQUOTED:user.target.domai...
+A,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,215,user.target.,"value: ""{{{user.target.name}}}"""
+B,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/fields/ecs.yml,42,user.target.,name: user.target.name
+B,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/fields/ecs.yml,44,user.target.,name: user.target.domain
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,539,user.target.,field: user.target.full_name
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,543,user.target.,field: user.target.id
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,547,user.target.,field: user.target.email
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,551,user.target.,field: user.target.group.name
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,555,user.target.,field: user.target.group.id
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,595,user.target.,"value: ""{{{user.target.full_name}}}"""
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,167,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,168,user.target.,target_field: user.target.email
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,172,user.target.,field: user.target.email
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,173,user.target.,pattern: '%{user.target.name}@%{user.target.domain}'
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,180,user.target.,"value: ""{{{user.target.name}}}"""
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,186,user.target.,"value: ""{{{user.target.email}}}"""
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml,174,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,63,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,78,user.target.,field: user.target.id
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,44,user.target.,field: user.target.id
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,49,user.target.,value: '{{{user.target.id}}}'
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,87,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml,286,user.target.,field: user.target.name
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-74869ba0-bcb3-11ed-837c-8b9d01cca76e.json,203,user.target.,"""sourceField"": ""user.target.name"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-74869ba0-bcb3-11ed-837c-8b9d01cca76e.json,225,user.target.,"""sourceField"": ""user.target.id"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-ce341d40-b91f-11ed-a75d-1d76b4fe7223.json,121,user.target.,"""sourceField"": ""user.target.id"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-d517be50-bcbc-11ed-837c-8b9d01cca76e.json,204,user.target.,"""sourceField"": ""user.target.name"""
diff --git a/dev/target-fields-audit/out/pilot/target_fields_audit_summary.md b/dev/target-fields-audit/out/pilot/target_fields_audit_summary.md
new file mode 100644
index 00000000000..25eae74b405
--- /dev/null
+++ b/dev/target-fields-audit/out/pilot/target_fields_audit_summary.md
@@ -0,0 +1,52 @@
+# ECS `*.target.*` audit summary
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-13T12:38:37Z
+- **evidence rows:** 41
+
+## Unique packages by tier and prefix
+
+### Tier A — Pipeline
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 0 |
+| user.target. | 4 |
+| service.target. | 0 |
+| entity.target. | 0 |
+
+### Tier B — Fields
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 0 |
+| user.target. | 1 |
+| service.target. | 0 |
+| entity.target. | 0 |
+
+### Tier C — Kibana JSON
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 0 |
+| user.target. | 1 |
+| service.target. | 0 |
+| entity.target. | 0 |
+
+## Tier A — unique (package, data_stream) pairs
+
+4
+
+## Tier A — top 20 packages by evidence row count
+
+| package | tier_A_rows |
+| --- | --- |
+| cyberarkpas | 14 |
+| vectra_detect | 13 |
+| okta | 6 |
+| mysql_enterprise | 2 |
+
+## Totals
+
+- **unique packages with any hit:** 4
+- **unique packages with Tier A hit:** 4
diff --git a/dev/target-fields-audit/out/security/destination_identity_hits.csv b/dev/target-fields-audit/out/security/destination_identity_hits.csv
new file mode 100644
index 00000000000..8dbde45fb8a
--- /dev/null
+++ b/dev/target-fields-audit/out/security/destination_identity_hits.csv
@@ -0,0 +1,194 @@
+package,data_stream,dest_kind,file,line,field_path,snippet
+abnormal_security,ai_security_mailbox,destination.user,packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml,219,destination.user,- '^%{EMAILADDRESS:destination.user.email}$'
+abnormal_security,ai_security_mailbox,destination.user,packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml,220,destination.user,- '^%{DATA:destination.user.name}$'
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,81,json.destination.hostname,field: json.destination.hostname
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,83,beyondtrust_pra.access_session.destination.hostname,target_field: beyondtrust_pra.access_session.destination.hostname
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,88,beyondtrust_pra.access_session.destination.hostname,copy_from: beyondtrust_pra.access_session.destination.hostname
+beyondtrust_pra,access_session,destination.host,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,1019,destination.host,- beyondtrust_pra.access_session.destination.hostname
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,96,destination.user.id,field: destination.user.id
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,253,destination.user.name,field: destination.user.name
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,993,destination.user,"value: ""{{{destination.user.id}}}"""
+beyondtrust_pra,access_session,destination.user,packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml,998,destination.user,"value: ""{{{destination.user.name}}}"""
+cef,log,destination.user,packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml,123,destination.user,to: destination.user.email
+cef,log,destination.user,packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml,292,destination.user,value: ['{{{destination.user.email}}}']
+cef,log,destination.user,packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml,103,destination.user,value: '{{{destination.user.name}}}'
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,378,destination.user.name,field: destination.user.name
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,383,destination.user.domain,field: destination.user.domain
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,579,destination.user.email,target_field: destination.user.email
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,584,destination.user,"value: [""{{{destination.user.email}}}""]"
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,589,destination.user,"value: [""{{{destination.user.email}}}""]"
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,634,destination.user.id,target_field: destination.user.id
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,824,destination.user.name,field: destination.user.name
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1515,destination.user.email,target_field: destination.user.email
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1516,destination.user.name,field: destination.user.name
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1518,destination.user,"if: ctx.destination?.user?.email == null && ctx.destination?.user?.name != null && ctx.destination.user.name.indexOf(""@"") > 0"
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1520,destination.user.email,field: destination.user.email
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1521,destination.user,pattern: '%{destination.user.name}@%{destination.user.domain}'
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1529,destination.user,"value: ""{{{destination.user.id}}}"""
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1535,destination.user,"value: ""{{{destination.user.name}}}"""
+checkpoint,firewall,destination.user,packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml,1541,destination.user,"value: ""{{{destination.user.email}}}"""
+checkpoint_email,event,destination.user,packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml,261,destination.user.email,field: destination.user.email
+checkpoint_email,event,destination.user,packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml,267,destination.user.email,field: destination.user.email
+checkpoint_email,event,destination.user,packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml,269,destination.user,pattern: '%{destination.user.name}@%{destination.user.domain}'
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2004,destination.user.name,field: destination.user.name
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2022,destination.user,"field: ""destination.user.name"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2026,destination.user,- (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:destination.user.email}
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2030,destination.user,"CISCO_USER_EMAIL: ""%{CISCO_USER}@%{HOSTNAME:destination.user.domain}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2031,destination.user,"CISCO_USER: ""%{USERNAME:destination.user.name}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2032,destination.user,CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)?
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3140,destination.user,description: copy destination.user.name to user.name if it is not set
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3142,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3226,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3227,destination.user,if: ctx?.destination?.user?.name != null && ctx.destination.user.name != '' && ctx.destination.user.name != '*****'
+cisco_asa,log,destination.user,packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3268,destination.user,"value: ""{{{destination.user.domain}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2176,destination.user.name,field: destination.user.name
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2202,destination.user,"field: ""destination.user.name"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2206,destination.user,- (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:destination.user.email}
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2210,destination.user,"CISCO_USER_EMAIL: ""%{CISCO_USER}@%{HOSTNAME:destination.user.domain}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2211,destination.user,"CISCO_USER: ""%{USERNAME:destination.user.name}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2212,destination.user,CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)?
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2995,destination.user,description: copy destination.user.name to user.name if it is not set
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,2997,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3116,destination.user,"value: ""{{{destination.user.name}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3117,destination.user,if: ctx.destination?.user?.name != null && ctx.destination.user.name != ''
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3158,destination.user,"value: ""{{{destination.user.domain}}}"""
+cisco_ftd,log,destination.user,packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3159,destination.user,if: ctx.destination?.user?.domain != null && ctx.destination.user.domain != ''
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,431,claroty_ctd.event.destination.host,target_field: claroty_ctd.event.destination.host
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,436,claroty_ctd.event.destination.host,copy_from: claroty_ctd.event.destination.host
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,441,destination.host,"value: ""{{{claroty_ctd.event.destination.host}}}"""
+claroty_ctd,event,destination.host,packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml,2144,destination.host,- claroty_ctd.event.destination.host
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1931,destination.user.domain,field: destination.user.domain
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1938,destination.user,value: '{{{destination.user.domain}}}'
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1947,destination.user.name,field: destination.user.name
+crowdstrike,alert,destination.user,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1954,destination.user,value: '{{{destination.user.name}}}'
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,87,destination.user.name,field: destination.user.name
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,88,destination.user.email,target_field: destination.user.email
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,90,destination.user,"if: ctx.destination?.user?.name != null && ctx.destination.user.name.indexOf(""@"") > 0"
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,92,destination.user.email,field: destination.user.email
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,93,destination.user,pattern: '%{destination.user.name}@%{destination.user.domain}'
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,100,destination.user,value: '{{{destination.user.name}}}'
+cyberark_pta,events,destination.user,packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml,106,destination.user,value: '{{{destination.user.email}}}'
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,504,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,522,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,612,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,752,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,771,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,792,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,815,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,848,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,867,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,886,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,907,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,935,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,950,destination.user.name,- set: destination.user.name
+cyberarkpas,audit,destination.user,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,1108,destination.user,value: '{{{destination.user.name}}}'
+fortinet_fortigate,log,destination.user,packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml,754,destination.user,"value: ""{{{destination.user.name}}}"""
+fortinet_fortigate,log,destination.user,packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml,117,destination.user.name,target_field: destination.user.name
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1403,destination.user.email,field: destination.user.email
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1458,destination.user.group.id,field: destination.user.group.id
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1464,destination.user.name,field: destination.user.name
+google_secops,alert,destination.user,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1469,destination.user.id,field: destination.user.id
+jumpcloud,events,destination.user,packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml,258,destination.user,"value: ""{{{destination.user.name}}}"""
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,131,destination.user.id,field: destination.user.id
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,135,destination.user.email,field: destination.user.email
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,310,destination.user.name,field: destination.user.name
+microsoft_exchange_online_message_trace,log,destination.user,packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml,314,destination.user.domain,field: destination.user.domain
+nozomi_networks,alert,destination.user,packages/nozomi_networks/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,188,destination.user.roles,field: destination.user.roles
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1019,destination.user,if (ctx.destination.user == null) {
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1020,destination.user,ctx.destination.user = new HashMap();
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1022,destination.user,ctx.destination.user.email = new ArrayList();
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1028,destination.user,ctx.destination.user.email.add(emails[e]);
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1032,destination.user,ctx.destination.user.email.add(emails);
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1156,destination.user.email,target_field: destination.user.email
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1172,destination.user.id,target_field: destination.user.id
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1437,destination.user,"String[] splitmail = ctx.destination.user.id.splitOnToken(""@"");"
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1441,destination.user,ctx.destination.user.email = ctx.destination.user.id;
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1442,destination.user,ctx.destination.user.domain = splitmail[1];
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1443,destination.user,ctx.destination.user.name = splitmail[0];
+o365,audit,destination.user,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1684,destination.user.email,field: destination.user.email
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1406,destination.user,- '^%{PATRUNKATEDHOSTNAME:destination.user.domain}\\%{USERNAME:destination.user.name}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1407,destination.user,- '^%{PATRUNKATEDHOSTNAME:destination.user.domain}\\\\%{USERNAME:destination.user.name}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1408,destination.user,- '^%{USERNAME:destination.user.name}@%{PATRUNKATEDHOSTNAME:destination.user.domain}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1409,destination.user,- '^%{GREEDYDATA:destination.user.name}$'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1423,panw.panos.destination.user,field: panw.panos.destination.user
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1424,destination.user.name,copy_from: destination.user.name
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1889,destination.user,value: '{{{destination.user.name}}}'
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml,1980,destination.user,- panw.panos.destination.user
+panw,panos,destination.user,packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml,235,destination.user.email,field: destination.user.email
+ping_federate,audit,destination.user,packages/ping_federate/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,350,destination.user,- destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,940,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1007,destination.user,- (?<prisma_access.event.pan_os_value.destination.user.domain>[^\\]*)[\\]*(?<prisma_access.event.pan_os_value.destination.user.name>[^\\]*)
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1012,prisma_access.event.pan_os_value.destination.user.name,target_field: prisma_access.event.pan_os_value.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1018,prisma_access.event.pan_os_value.destination.user.name,target_field: prisma_access.event.pan_os_value.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1021,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1023,destination.user,"value: ""{{{prisma_access.event.pan_os_value.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1027,destination.user.name,field: destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1029,destination.user,"value: ""{{{prisma_access.event.pan_os_value.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1035,destination.user,"value: ""{{{prisma_access.event.pan_os_value.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1043,destination.user,- (?<prisma_access.event.pan_os_data.destination.user.domain>[^\\]*)[\\]*(?<prisma_access.event.pan_os_data.destination.user.name>[^\\]*)
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1048,prisma_access.event.pan_os_data.destination.user.name,target_field: prisma_access.event.pan_os_data.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1054,prisma_access.event.pan_os_data.destination.user.name,target_field: prisma_access.event.pan_os_data.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1057,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1059,destination.user,"value: ""{{{prisma_access.event.pan_os_data.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1063,destination.user.name,field: destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1065,destination.user,"value: ""{{{prisma_access.event.pan_os_data.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1071,destination.user,"value: ""{{{prisma_access.event.pan_os_data.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1077,prisma_access.event.pan_os.destination.user.domain,target_field: prisma_access.event.pan_os.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1080,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1082,destination.user,"value: ""{{{prisma_access.event.pan_os.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1088,prisma_access.event.destination.user.id,target_field: prisma_access.event.destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1091,destination.user.id,field: destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1093,destination.user,"value: ""{{{prisma_access.event.destination.user.id}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1099,destination.user,"value: ""{{{prisma_access.event.destination.user.id}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1107,destination.user,- (?<prisma_access.event.destination.user.domain>[^\\]*)[\\]*(?<prisma_access.event.destination.user.name>[^\\]*)
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1112,prisma_access.event.destination.user.name,target_field: prisma_access.event.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1118,prisma_access.event.destination.user.name,target_field: prisma_access.event.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1121,destination.user.domain,field: destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1123,destination.user,"value: ""{{{prisma_access.event.destination.user.domain}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1127,destination.user.name,field: destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1129,destination.user,"value: ""{{{prisma_access.event.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1135,destination.user,"value: ""{{{prisma_access.event.destination.user.name}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1141,prisma_access.event.destination.user.uuid,target_field: prisma_access.event.destination.user.uuid
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1144,destination.user.id,field: destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1146,destination.user,"value: ""{{{prisma_access.event.destination.user.uuid}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,1152,destination.user,"value: ""{{{prisma_access.event.destination.user.uuid}}}"""
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5236,destination.user,- prisma_access.event.pan_os_value.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5237,destination.user,- prisma_access.event.pan_os_value.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5238,destination.user,- prisma_access.event.pan_os_data.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5239,destination.user,- prisma_access.event.pan_os_data.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5240,destination.user,- prisma_access.event.pan_os.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5241,destination.user,- prisma_access.event.destination.user.domain
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5242,destination.user,- prisma_access.event.destination.user.id
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5243,destination.user,- prisma_access.event.destination.user.name
+prisma_access,event,destination.user,packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml,5244,destination.user,- prisma_access.event.destination.user.uuid
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,107,destination.user.name,field: destination.user.name
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,115,destination.user.domain,field: destination.user.domain
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,123,destination.user.domain,field: destination.user.domain
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,131,destination.user.name,field: destination.user.name
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,136,destination.user,value: '{{{destination.user.name}}}'
+sentinel_one_cloud_funnel,event,destination.user,packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml,141,destination.user,value: '{{{destination.user.domain}}}'
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml,107,destination.user.email,target_field: destination.user.email
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml,117,destination.user,"value: ""{{{destination.user.email}}}"""
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml,122,destination.user.email,target_field: destination.user.email
+sophos,xg,destination.user,packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml,132,destination.user,"value: ""{{{destination.user.email}}}"""
+swimlane,tenant_api,destination.user,packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml,178,destination.user.changes.id,target_field: destination.user.changes.id
+swimlane,tenant_api,destination.user,packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml,182,destination.user.changes.name,target_field: destination.user.changes.name
+swimlane,turbine_api,destination.user,packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml,195,destination.user.changes.id,target_field: destination.user.changes.id
+swimlane,turbine_api,destination.user,packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml,199,destination.user.changes.name,target_field: destination.user.changes.name
+trellix_epo_cloud,event,destination.user,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,178,destination.user.name,field: destination.user.name
+trellix_epo_cloud,event,destination.user,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,184,destination.user,value: '{{{destination.user.name}}}'
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,171,trend_micro_vision_one.detection.destination.user,target_field: trend_micro_vision_one.detection.destination.user
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1269,destination.user.name,field: destination.user.name
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1271,trend_micro_vision_one.detection.destination.user,copy_from: trend_micro_vision_one.detection.destination.user
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1597,trend_micro_vision_one.detection.destination.user,field: trend_micro_vision_one.detection.destination.user
+trend_micro_vision_one,detection,destination.user,packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml,1789,destination.user,- trend_micro_vision_one.detection.destination.user
+trendmicro,deep_security,destination.user,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,687,destination.user.name,field: destination.user.name
+trendmicro,deep_security,destination.user,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,694,destination.user,value: '{{{destination.user.name}}}'
+tychon,arp,destination.host,packages/tychon/data_stream/arp/elasticsearch/ingest_pipeline/rest.yml,26,destination.host,"value: ""{{{tychon.destination.hostname}}}"""
+watchguard_firebox,log,destination.user,packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml,446,destination.user.name,field: destination.user.name
+watchguard_firebox,log,destination.user,packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml,451,destination.user.domain,field: destination.user.domain
+windows,forwarded,destination.user,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml,170,destination.user.domain,target_field: destination.user.domain
+windows,forwarded,destination.user,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml,176,destination.user.name,target_field: destination.user.name
+windows,powershell_operational,destination.user,packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml,170,destination.user.domain,target_field: destination.user.domain
+windows,powershell_operational,destination.user,packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml,176,destination.user.name,target_field: destination.user.name
+zoom,webhook,destination.user,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml,175,destination.user.id,field: destination.user.id
diff --git a/dev/target-fields-audit/out/security/destination_identity_review.md b/dev/target-fields-audit/out/security/destination_identity_review.md
new file mode 100644
index 00000000000..6fff4dfff59
--- /dev/null
+++ b/dev/target-fields-audit/out/security/destination_identity_review.md
@@ -0,0 +1,337 @@
+# Destination identity review list
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-20T08:56:43Z
+- **integration packages scanned:** 273
+- **packages with `destination.user` in pipeline:** 28
+- **packages with `destination.host` / `destination.hostname` in pipeline:** 3
+- **packages with either:** 30
+- **evidence rows:** 193
+
+- **filter:** Only integrations whose root manifest lists the `security` category.
+
+Use [`destination_identity_hits.csv`](destination_identity_hits.csv) for line-level evidence.
+
+## Package checklist (sorted A–Z)
+
+Review each integration: confirm whether `destination.user` / `destination.host`
+represents the **target** of the action (candidate for `user.target.*` / `host.target.*`)
+or only network/session context.
+
+| # | package | destination.user | destination.host | data_streams |
+| ---: | --- | :---: | :---: | --- |
+| 1 | abnormal_security | yes |  | ai_security_mailbox |
+| 2 | beyondtrust_pra | yes | yes | access_session |
+| 3 | cef | yes |  | log |
+| 4 | checkpoint | yes |  | firewall |
+| 5 | checkpoint_email | yes |  | event |
+| 6 | cisco_asa | yes |  | log |
+| 7 | cisco_ftd | yes |  | log |
+| 8 | claroty_ctd |  | yes | event |
+| 9 | crowdstrike | yes |  | alert |
+| 10 | cyberark_pta | yes |  | events |
+| 11 | cyberarkpas | yes |  | audit |
+| 12 | fortinet_fortigate | yes |  | log |
+| 13 | google_secops | yes |  | alert |
+| 14 | jumpcloud | yes |  | events |
+| 15 | microsoft_exchange_online_message_trace | yes |  | log |
+| 16 | nozomi_networks | yes |  | alert |
+| 17 | o365 | yes |  | audit |
+| 18 | panw | yes |  | panos |
+| 19 | ping_federate | yes |  | audit |
+| 20 | prisma_access | yes |  | event |
+| 21 | sentinel_one_cloud_funnel | yes |  | event |
+| 22 | sophos | yes |  | xg |
+| 23 | swimlane | yes |  | tenant_api, turbine_api |
+| 24 | trellix_epo_cloud | yes |  | event |
+| 25 | trend_micro_vision_one | yes |  | detection |
+| 26 | trendmicro | yes |  | deep_security |
+| 27 | tychon |  | yes | arp |
+| 28 | watchguard_firebox | yes |  | log |
+| 29 | windows | yes |  | forwarded, powershell_operational |
+| 30 | zoom | yes |  | webhook |
+
+## Per-package detail
+
+### abnormal_security
+
+- **destination.user** — `destination.user` — `packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml:219` — data_stream: `ai_security_mailbox`
+- **destination.user** — `destination.user` — `packages/abnormal_security/data_stream/ai_security_mailbox/elasticsearch/ingest_pipeline/default.yml:220` — data_stream: `ai_security_mailbox`
+
+### beyondtrust_pra
+
+- **destination.host** — `json.destination.hostname` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:81` — data_stream: `access_session`
+- **destination.host** — `beyondtrust_pra.access_session.destination.hostname` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:83` — data_stream: `access_session`
+- **destination.host** — `beyondtrust_pra.access_session.destination.hostname` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:88` — data_stream: `access_session`
+- **destination.user** — `destination.user.id` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:96` — data_stream: `access_session`
+- **destination.user** — `destination.user.name` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:253` — data_stream: `access_session`
+- **destination.user** — `destination.user` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:993` — data_stream: `access_session`
+- **destination.user** — `destination.user` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:998` — data_stream: `access_session`
+- **destination.host** — `destination.host` — `packages/beyondtrust_pra/data_stream/access_session/elasticsearch/ingest_pipeline/default.yml:1019` — data_stream: `access_session`
+
+### cef
+
+- **destination.user** — `destination.user` — `packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml:123` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml:292` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml:103` — data_stream: `log`
+
+### checkpoint
+
+- **destination.user** — `destination.user.name` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:378` — data_stream: `firewall`
+- **destination.user** — `destination.user.domain` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:383` — data_stream: `firewall`
+- **destination.user** — `destination.user.email` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:579` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:584` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:589` — data_stream: `firewall`
+- **destination.user** — `destination.user.id` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:634` — data_stream: `firewall`
+- **destination.user** — `destination.user.name` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:824` — data_stream: `firewall`
+- **destination.user** — `destination.user.email` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1515` — data_stream: `firewall`
+- **destination.user** — `destination.user.name` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1516` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1518` — data_stream: `firewall`
+- **destination.user** — `destination.user.email` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1520` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1521` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1529` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1535` — data_stream: `firewall`
+- **destination.user** — `destination.user` — `packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml:1541` — data_stream: `firewall`
+
+### checkpoint_email
+
+- **destination.user** — `destination.user.email` — `packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml:261` — data_stream: `event`
+- **destination.user** — `destination.user.email` — `packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml:267` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/checkpoint_email/data_stream/event/elasticsearch/ingest_pipeline/default.yml:269` — data_stream: `event`
+
+### cisco_asa
+
+- **destination.user** — `destination.user.name` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2004` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2022` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2026` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2030` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2031` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2032` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3140` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3142` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3226` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3227` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3268` — data_stream: `log`
+
+### cisco_ftd
+
+- **destination.user** — `destination.user.name` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2176` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2202` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2206` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2210` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2211` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2212` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2995` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2997` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3116` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3117` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3158` — data_stream: `log`
+- **destination.user** — `destination.user` — `packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:3159` — data_stream: `log`
+
+### claroty_ctd
+
+- **destination.host** — `claroty_ctd.event.destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:431` — data_stream: `event`
+- **destination.host** — `claroty_ctd.event.destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:436` — data_stream: `event`
+- **destination.host** — `destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:441` — data_stream: `event`
+- **destination.host** — `destination.host` — `packages/claroty_ctd/data_stream/event/elasticsearch/ingest_pipeline/default.yml:2144` — data_stream: `event`
+
+### crowdstrike
+
+- **destination.user** — `destination.user.domain` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1931` — data_stream: `alert`
+- **destination.user** — `destination.user` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1938` — data_stream: `alert`
+- **destination.user** — `destination.user.name` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1947` — data_stream: `alert`
+- **destination.user** — `destination.user` — `packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1954` — data_stream: `alert`
+
+### cyberark_pta
+
+- **destination.user** — `destination.user.name` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:87` — data_stream: `events`
+- **destination.user** — `destination.user.email` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:88` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:90` — data_stream: `events`
+- **destination.user** — `destination.user.email` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:92` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:93` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:100` — data_stream: `events`
+- **destination.user** — `destination.user` — `packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml:106` — data_stream: `events`
+
+### cyberarkpas
+
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:504` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:522` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:612` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:752` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:771` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:792` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:815` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:848` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:867` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:886` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:907` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:935` — data_stream: `audit`
+- **destination.user** — `destination.user.name` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:950` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml:1108` — data_stream: `audit`
+
+### fortinet_fortigate
+
+- **destination.user** — `destination.user` — `packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml:754` — data_stream: `log`
+- **destination.user** — `destination.user.name` — `packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml:117` — data_stream: `log`
+
+### google_secops
+
+- **destination.user** — `destination.user.email` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1403` — data_stream: `alert`
+- **destination.user** — `destination.user.group.id` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1458` — data_stream: `alert`
+- **destination.user** — `destination.user.name` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1464` — data_stream: `alert`
+- **destination.user** — `destination.user.id` — `packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:1469` — data_stream: `alert`
+
+### jumpcloud
+
+- **destination.user** — `destination.user` — `packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml:258` — data_stream: `events`
+
+### microsoft_exchange_online_message_trace
+
+- **destination.user** — `destination.user.id` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:131` — data_stream: `log`
+- **destination.user** — `destination.user.email` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:135` — data_stream: `log`
+- **destination.user** — `destination.user.name` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:310` — data_stream: `log`
+- **destination.user** — `destination.user.domain` — `packages/microsoft_exchange_online_message_trace/data_stream/log/elasticsearch/ingest_pipeline/default.yml:314` — data_stream: `log`
+
+### nozomi_networks
+
+- **destination.user** — `destination.user.roles` — `packages/nozomi_networks/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:188` — data_stream: `alert`
+
+### o365
+
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1019` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1020` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1022` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1028` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1032` — data_stream: `audit`
+- **destination.user** — `destination.user.email` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1156` — data_stream: `audit`
+- **destination.user** — `destination.user.id` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1172` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1437` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1441` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1442` — data_stream: `audit`
+- **destination.user** — `destination.user` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1443` — data_stream: `audit`
+- **destination.user** — `destination.user.email` — `packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:1684` — data_stream: `audit`
+
+### panw
+
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1406` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1407` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1408` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1409` — data_stream: `panos`
+- **destination.user** — `panw.panos.destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1423` — data_stream: `panos`
+- **destination.user** — `destination.user.name` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1424` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1889` — data_stream: `panos`
+- **destination.user** — `destination.user` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml:1980` — data_stream: `panos`
+- **destination.user** — `destination.user.email` — `packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/threat.yml:235` — data_stream: `panos`
+
+### ping_federate
+
+- **destination.user** — `destination.user` — `packages/ping_federate/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:350` — data_stream: `audit`
+
+### prisma_access
+
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:940` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1007` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_value.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1012` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_value.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1018` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1021` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1023` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1027` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1029` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1035` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1043` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_data.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1048` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os_data.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1054` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1057` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1059` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1063` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1065` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1071` — data_stream: `event`
+- **destination.user** — `prisma_access.event.pan_os.destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1077` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1080` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1082` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.id` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1088` — data_stream: `event`
+- **destination.user** — `destination.user.id` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1091` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1093` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1099` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1107` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1112` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1118` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1121` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1123` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1127` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1129` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1135` — data_stream: `event`
+- **destination.user** — `prisma_access.event.destination.user.uuid` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1141` — data_stream: `event`
+- **destination.user** — `destination.user.id` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1144` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1146` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:1152` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5236` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5237` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5238` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5239` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5240` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5241` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5242` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5243` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml:5244` — data_stream: `event`
+
+### sentinel_one_cloud_funnel
+
+- **destination.user** — `destination.user.name` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:107` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:115` — data_stream: `event`
+- **destination.user** — `destination.user.domain` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:123` — data_stream: `event`
+- **destination.user** — `destination.user.name` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:131` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:136` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:141` — data_stream: `event`
+
+### sophos
+
+- **destination.user** — `destination.user.email` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml:107` — data_stream: `xg`
+- **destination.user** — `destination.user` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml:117` — data_stream: `xg`
+- **destination.user** — `destination.user.email` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml:122` — data_stream: `xg`
+- **destination.user** — `destination.user` — `packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml:132` — data_stream: `xg`
+
+### swimlane
+
+- **destination.user** — `destination.user.changes.id` — `packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml:178` — data_stream: `tenant_api`
+- **destination.user** — `destination.user.changes.name` — `packages/swimlane/data_stream/tenant_api/elasticsearch/ingest_pipeline/default.yml:182` — data_stream: `tenant_api`
+- **destination.user** — `destination.user.changes.id` — `packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml:195` — data_stream: `turbine_api`
+- **destination.user** — `destination.user.changes.name` — `packages/swimlane/data_stream/turbine_api/elasticsearch/ingest_pipeline/default.yml:199` — data_stream: `turbine_api`
+
+### trellix_epo_cloud
+
+- **destination.user** — `destination.user.name` — `packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml:178` — data_stream: `event`
+- **destination.user** — `destination.user` — `packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml:184` — data_stream: `event`
+
+### trend_micro_vision_one
+
+- **destination.user** — `trend_micro_vision_one.detection.destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:171` — data_stream: `detection`
+- **destination.user** — `destination.user.name` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1269` — data_stream: `detection`
+- **destination.user** — `trend_micro_vision_one.detection.destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1271` — data_stream: `detection`
+- **destination.user** — `trend_micro_vision_one.detection.destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1597` — data_stream: `detection`
+- **destination.user** — `destination.user` — `packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml:1789` — data_stream: `detection`
+
+### trendmicro
+
+- **destination.user** — `destination.user.name` — `packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:687` — data_stream: `deep_security`
+- **destination.user** — `destination.user` — `packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:694` — data_stream: `deep_security`
+
+### tychon
+
+- **destination.host** — `destination.host` — `packages/tychon/data_stream/arp/elasticsearch/ingest_pipeline/rest.yml:26` — data_stream: `arp`
+
+### watchguard_firebox
+
+- **destination.user** — `destination.user.name` — `packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml:446` — data_stream: `log`
+- **destination.user** — `destination.user.domain` — `packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml:451` — data_stream: `log`
+
+### windows
+
+- **destination.user** — `destination.user.domain` — `packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml:170` — data_stream: `forwarded`
+- **destination.user** — `destination.user.name` — `packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml:176` — data_stream: `forwarded`
+- **destination.user** — `destination.user.domain` — `packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml:170` — data_stream: `powershell_operational`
+- **destination.user** — `destination.user.name` — `packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml:176` — data_stream: `powershell_operational`
+
+### zoom
+
+- **destination.user** — `destination.user.id` — `packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml:175` — data_stream: `webhook`
diff --git a/dev/target-fields-audit/out/security/target_enhancement_packages.csv b/dev/target-fields-audit/out/security/target_enhancement_packages.csv
new file mode 100644
index 00000000000..9774810d9c0
--- /dev/null
+++ b/dev/target-fields-audit/out/security/target_enhancement_packages.csv
@@ -0,0 +1,274 @@
+package,priority,ecs_target_tierA_audit,pipeline_dest_identity,pipeline_dest_network,pipeline_actor,pipeline_entity_other,fixture_strong,docs_lexicon
+amazon_security_lake,already_maps_ecs_target,true,true,true,true,false,true,false
+atlassian_bitbucket,already_maps_ecs_target,true,false,false,true,false,true,false
+atlassian_confluence,already_maps_ecs_target,true,false,false,true,false,true,false
+atlassian_jira,already_maps_ecs_target,true,false,false,true,false,true,false
+aws,already_maps_ecs_target,true,true,true,true,true,true,true
+box_events,already_maps_ecs_target,true,false,false,false,false,true,true
+canva,already_maps_ecs_target,true,false,false,true,true,true,false
+cisco_duo,already_maps_ecs_target,true,false,false,true,false,true,false
+crowdstrike,already_maps_ecs_target,true,true,true,true,false,true,true
+cyberarkpas,already_maps_ecs_target,true,true,true,true,false,true,false
+gcp,already_maps_ecs_target,true,true,true,true,true,true,true
+github,already_maps_ecs_target,true,false,false,false,false,true,false
+google_workspace,already_maps_ecs_target,true,false,false,true,true,true,true
+hpe_aruba_cx,already_maps_ecs_target,true,false,true,false,false,true,false
+keycloak,already_maps_ecs_target,true,false,false,false,false,true,true
+mattermost,already_maps_ecs_target,true,false,false,true,false,true,false
+microsoft_sqlserver,already_maps_ecs_target,true,false,false,true,false,true,true
+mysql_enterprise,already_maps_ecs_target,true,false,false,false,false,true,false
+netskope,already_maps_ecs_target,true,true,true,false,false,true,false
+o365,already_maps_ecs_target,true,true,true,true,false,true,false
+okta,already_maps_ecs_target,true,false,true,true,false,true,false
+qnap_nas,already_maps_ecs_target,true,false,false,false,false,true,false
+tenable_io,already_maps_ecs_target,true,false,false,false,false,true,false
+trend_micro_vision_one,already_maps_ecs_target,true,true,true,true,false,true,false
+vectra_detect,already_maps_ecs_target,true,true,true,false,false,true,true
+windows,already_maps_ecs_target,true,true,true,true,false,true,true
+zoom,already_maps_ecs_target,true,true,false,true,false,true,false
+zscaler_zpa,already_maps_ecs_target,true,false,false,false,false,false,false
+fortinet_fortiedr,exploratory_docs,false,false,false,false,false,false,true
+microsoft_sentinel,exploratory_docs,false,false,false,false,false,false,true
+ti_opencti,exploratory_docs,false,false,false,false,false,false,true
+ti_threatconnect,exploratory_docs,false,false,false,false,false,false,true
+verifier_otel,exploratory_docs,false,false,false,false,false,false,true
+winlog,exploratory_docs,false,false,false,false,false,false,true
+1password,moderate_candidate,false,false,false,false,false,true,false
+airlock_digital,moderate_candidate,false,false,false,false,false,true,false
+auditd,moderate_candidate,false,false,true,false,false,true,false
+auditd_manager,moderate_candidate,false,false,true,false,false,true,false
+azure_network_watcher_vnet,moderate_candidate,false,false,true,false,false,true,true
+bbot,moderate_candidate,false,false,false,false,false,true,false
+bitdefender,moderate_candidate,false,false,true,false,false,true,false
+carbonblack_edr,moderate_candidate,false,false,false,false,false,true,false
+cisco_ise,moderate_candidate,false,false,true,false,false,true,false
+cyberark_epm,moderate_candidate,false,false,false,false,false,true,true
+cyera,moderate_candidate,false,false,false,false,false,true,false
+darktrace,moderate_candidate,false,false,false,false,false,true,false
+dataminr_pulse,moderate_candidate,false,false,false,false,true,false,true
+eset_protect,moderate_candidate,false,false,true,false,false,true,false
+fim,moderate_candidate,false,false,false,false,false,true,false
+forgerock,moderate_candidate,false,false,false,false,false,true,false
+gitlab,moderate_candidate,false,false,true,false,false,true,false
+greenhouse,moderate_candidate,false,false,false,false,false,true,false
+hid_bravura_monitor,moderate_candidate,false,false,false,false,false,true,false
+infoblox_bloxone_ddi,moderate_candidate,false,false,false,false,false,true,true
+island_browser,moderate_candidate,false,false,false,false,false,true,true
+jamf_compliance_reporter,moderate_candidate,false,false,false,false,false,true,false
+lumos,moderate_candidate,false,false,false,false,false,true,false
+microsoft_defender_cloud,moderate_candidate,false,false,false,false,false,true,true
+microsoft_exchange_server,moderate_candidate,false,false,false,false,false,true,false
+mongodb_atlas,moderate_candidate,false,false,false,false,false,true,false
+pps,moderate_candidate,false,false,false,false,false,true,false
+prisma_cloud,moderate_candidate,false,false,false,false,false,true,false
+proofpoint_itm,moderate_candidate,false,false,false,false,false,true,false
+sailpoint_identity_sc,moderate_candidate,false,false,false,false,false,true,false
+santa,moderate_candidate,false,false,false,false,false,true,false
+sentinel_one,moderate_candidate,false,false,true,false,false,true,true
+slack,moderate_candidate,false,false,false,false,true,false,false
+snyk,moderate_candidate,false,false,false,false,false,true,false
+symantec_endpoint_security,moderate_candidate,false,false,true,false,false,true,true
+sysdig,moderate_candidate,false,false,false,false,false,true,false
+tanium,moderate_candidate,false,false,false,false,false,true,true
+tencent_cloud,moderate_candidate,false,false,true,false,false,true,false
+ti_crowdstrike,moderate_candidate,false,false,false,false,false,true,false
+ti_cyware_intel_exchange,moderate_candidate,false,false,false,false,false,true,true
+ti_otx,moderate_candidate,false,false,false,false,false,true,false
+ti_recordedfuture,moderate_candidate,false,false,false,false,false,true,true
+ti_threatq,moderate_candidate,false,false,false,false,false,true,false
+trellix_edr_cloud,moderate_candidate,false,false,true,false,false,true,false
+vectra_rux,moderate_candidate,false,false,false,false,true,false,false
+withsecure_elements,moderate_candidate,false,false,false,false,false,true,false
+wiz,moderate_candidate,false,false,true,false,false,true,true
+zerofox,moderate_candidate,false,false,false,false,true,false,false
+azure_network_watcher_nsg,moderate_candidate_network_dest,false,false,true,false,false,false,false
+barracuda,moderate_candidate_network_dest,false,false,true,false,false,false,false
+beelzebub,moderate_candidate_network_dest,false,false,true,false,false,false,false
+bluecoat,moderate_candidate_network_dest,false,false,true,false,false,false,true
+checkpoint_harmony_endpoint,moderate_candidate_network_dest,false,false,true,false,false,false,true
+cisco_aironet,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cisco_meraki,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cisco_secure_email_gateway,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cisco_secure_endpoint,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cloudflare,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cybereason,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cylance,moderate_candidate_network_dest,false,false,true,false,false,false,true
+extrahop,moderate_candidate_network_dest,false,false,true,false,false,false,true
+forcepoint_web,moderate_candidate_network_dest,false,false,true,false,false,false,false
+fortinet_forticlient,moderate_candidate_network_dest,false,false,true,false,false,false,true
+fortinet_fortimanager,moderate_candidate_network_dest,false,false,true,false,false,false,false
+fortinet_fortiproxy,moderate_candidate_network_dest,false,false,true,false,false,false,false
+gigamon,moderate_candidate_network_dest,false,false,true,false,false,false,false
+imperva_cloud_waf,moderate_candidate_network_dest,false,false,true,false,false,false,false
+iptables,moderate_candidate_network_dest,false,false,true,false,false,false,false
+juniper_junos,moderate_candidate_network_dest,false,false,true,false,false,false,true
+juniper_netscreen,moderate_candidate_network_dest,false,false,true,false,false,false,true
+macos,moderate_candidate_network_dest,false,false,true,false,false,false,false
+menlo,moderate_candidate_network_dest,false,false,true,false,false,false,false
+microsoft_dnsserver,moderate_candidate_network_dest,false,false,true,false,false,false,true
+mimecast,moderate_candidate_network_dest,false,false,true,false,false,false,true
+modsecurity,moderate_candidate_network_dest,false,false,true,false,false,false,false
+netflow,moderate_candidate_network_dest,false,false,true,false,false,false,false
+netscout,moderate_candidate_network_dest,false,false,true,false,false,false,true
+network_traffic,moderate_candidate_network_dest,false,false,true,false,false,false,false
+panw_cortex_xdr,moderate_candidate_network_dest,false,false,true,false,false,false,false
+proofpoint_365totalprotection,moderate_candidate_network_dest,false,false,true,false,false,false,false
+proofpoint_essentials,moderate_candidate_network_dest,false,false,true,false,false,false,false
+proofpoint_tap,moderate_candidate_network_dest,false,false,true,false,false,false,false
+radware,moderate_candidate_network_dest,false,false,true,false,false,false,true
+snort,moderate_candidate_network_dest,false,false,true,false,false,false,false
+tenable_ot_security,moderate_candidate_network_dest,false,false,true,false,false,false,false
+zeek,moderate_candidate_network_dest,false,false,true,false,false,false,true
+admin_by_request_epm,none,false,false,false,false,false,false,false
+akamai,none,false,false,false,false,false,false,false
+armis,none,false,false,false,false,false,false,false
+auth0,none,false,false,false,false,false,false,false
+authentik,none,false,false,false,false,false,false,false
+aws_bedrock,none,false,false,false,false,false,false,false
+aws_securityhub,none,false,false,false,false,false,false,false
+aws_waf_otel,none,false,false,false,false,false,false,false
+azure_ai_foundry,none,false,false,false,false,false,false,false
+azure_app_service,none,false,false,false,false,false,false,false
+azure_frontdoor,none,false,false,false,false,false,false,false
+azure_openai,none,false,false,false,false,false,false,false
+beaconing,none,false,false,false,false,false,false,false
+beyondinsight_password_safe,none,false,false,false,false,false,false,false
+bitsight,none,false,false,false,false,false,false,false
+blacklens,none,false,false,false,false,false,false,false
+cisa_kevs,none,false,false,false,false,false,false,false
+cisco_meraki_metrics,none,false,false,false,false,false,false,false
+cisco_nexus,none,false,false,false,false,false,false,false
+citrix_waf,none,false,false,false,false,false,false,false
+cloud_asset_inventory,none,false,false,false,false,false,false,false
+cloud_defend,none,false,false,false,false,false,false,false
+cloud_security_posture,none,false,false,false,false,false,false,false
+corelight,none,false,false,false,false,false,false,false
+ded,none,false,false,false,false,false,false,false
+dga,none,false,false,false,false,false,false,false
+digital_guardian,none,false,false,false,false,false,false,false
+elastic_security,none,false,false,false,false,false,false,false
+entityanalytics_ad,none,false,false,false,false,false,false,false
+entityanalytics_entra_id,none,false,false,false,false,false,false,false
+entityanalytics_okta,none,false,false,false,false,false,false,false
+entro,none,false,false,false,false,false,false,false
+first_epss,none,false,false,false,false,false,false,false
+forescout,none,false,false,false,false,false,false,false
+gcp_audit_otel,none,false,false,false,false,false,false,false
+hashicorp_vault,none,false,false,false,false,false,false,false
+hta,none,false,false,false,false,false,false,false
+ibm_qradar,none,false,false,false,false,false,false,false
+infoblox_nios,none,false,false,false,false,false,false,false
+ironscales,none,false,false,false,false,false,false,false
+jupiter_one,none,false,false,false,false,false,false,false
+keeper_security_siem_integration,none,false,false,false,false,false,false,false
+lastpass,none,false,false,false,false,false,false,false
+lmd,none,false,false,false,false,false,false,false
+lyve_cloud,none,false,false,false,false,false,false,false
+microsoft_defender_endpoint,none,false,false,false,false,false,false,false
+microsoft_dhcp,none,false,false,false,false,false,false,false
+neon_cyber,none,false,false,false,false,false,false,false
+netbox,none,false,false,false,false,false,false,false
+nextron_thor,none,false,false,false,false,false,false,false
+o365_metrics,none,false,false,false,false,false,false,false
+oracle,none,false,false,false,false,false,false,false
+osquery,none,false,false,false,false,false,false,false
+osquery_manager,none,false,false,false,false,false,false,false
+pad,none,false,false,false,false,false,false,false
+panw_metrics,none,false,false,false,false,false,false,false
+ping_one,none,false,false,false,false,false,false,false
+problemchild,none,false,false,false,false,false,false,false
+proxysg,none,false,false,false,false,false,false,false
+pulse_connect_secure,none,false,false,false,false,false,false,false
+qualys_gav,none,false,false,false,false,false,false,false
+qualys_vmdr,none,false,false,false,false,false,false,false
+qualys_was,none,false,false,false,false,false,false,false
+rapid7_insightvm,none,false,false,false,false,false,false,false
+security_ai_prompts,none,false,false,false,false,false,false,false
+security_detection_engine,none,false,false,false,false,false,false,false
+servicenow,none,false,false,false,false,false,false,false
+tenable_sc,none,false,false,false,false,false,false,false
+tetragon,none,false,false,false,false,false,false,false
+threat_map,none,false,false,false,false,false,false,false
+thycotic_ss,none,false,false,false,false,false,false,false
+ti_abusech,none,false,false,false,false,false,false,false
+ti_anomali,none,false,false,false,false,false,false,false
+ti_anyrun,none,false,false,false,false,false,false,false
+ti_cif3,none,false,false,false,false,false,false,false
+ti_custom,none,false,false,false,false,false,false,false
+ti_cybersixgill,none,false,false,false,false,false,false,false
+ti_domaintools,none,false,false,false,false,false,false,false
+ti_eclecticiq,none,false,false,false,false,false,false,false
+ti_eset,none,false,false,false,false,false,false,false
+ti_flashpoint,none,false,false,false,false,false,false,false
+ti_google_threat_intelligence,none,false,false,false,false,false,false,false
+ti_greynoise,none,false,false,false,false,false,false,false
+ti_maltiverse,none,false,false,false,false,false,false,false
+ti_mandiant_advantage,none,false,false,false,false,false,false,false
+ti_misp,none,false,false,false,false,false,false,false
+ti_rapid7_threat_command,none,false,false,false,false,false,false,false
+ti_strider,none,false,false,false,false,false,false,false
+ti_util,none,false,false,false,false,false,false,false
+tines,none,false,false,false,false,false,false,false
+unifiedlogs,none,false,false,false,false,false,false,false
+varonis,none,false,false,false,false,false,false,false
+windows_etw,none,false,false,false,false,false,false,false
+zeronetworks,none,false,false,false,false,false,false,false
+abnormal_security,strong_candidate,false,true,false,false,false,false,true
+arista_ngfw,strong_candidate,false,true,true,false,false,false,false
+azure,strong_candidate,false,true,true,true,true,true,true
+barracuda_cloudgen_firewall,strong_candidate,false,true,true,false,false,true,true
+beyondtrust_pra,strong_candidate,false,true,true,true,false,false,false
+bitwarden,strong_candidate,false,false,false,true,false,false,false
+carbon_black_cloud,strong_candidate,false,true,true,false,false,true,false
+cef,strong_candidate,false,true,true,true,false,true,false
+checkpoint,strong_candidate,false,true,true,true,false,true,true
+checkpoint_email,strong_candidate,false,true,false,true,false,false,false
+cisco_asa,strong_candidate,false,true,true,true,false,true,false
+cisco_ftd,strong_candidate,false,true,true,true,false,false,false
+cisco_ios,strong_candidate,false,true,true,true,false,false,false
+cisco_umbrella,strong_candidate,false,true,true,false,false,false,false
+claroty_ctd,strong_candidate,false,true,true,false,true,false,false
+claroty_xdome,strong_candidate,false,false,true,true,false,false,false
+cloudflare_logpush,strong_candidate,false,true,true,false,false,false,false
+cyberark_pta,strong_candidate,false,true,false,true,false,false,false
+f5_bigip,strong_candidate,false,true,true,true,false,false,false
+falco,strong_candidate,false,true,true,false,false,false,false
+fireeye,strong_candidate,false,true,true,false,false,false,false
+fortinet_fortigate,strong_candidate,false,true,true,true,false,true,true
+fortinet_fortimail,strong_candidate,false,false,true,true,false,false,true
+google_scc,strong_candidate,false,false,true,true,false,true,true
+google_secops,strong_candidate,false,true,true,true,false,true,false
+imperva,strong_candidate,false,true,true,false,false,false,false
+infoblox_threat_defense,strong_candidate,false,false,true,true,false,false,false
+jamf_protect,strong_candidate,false,true,true,false,false,false,true
+jumpcloud,strong_candidate,false,true,true,true,false,false,false
+juniper_srx,strong_candidate,false,true,true,true,false,false,true
+m365_defender,strong_candidate,false,true,true,true,false,true,true
+microsoft_exchange_online_message_trace,strong_candidate,false,true,true,true,false,false,false
+microsoft_intune,strong_candidate,false,true,false,false,false,true,true
+nozomi_networks,strong_candidate,false,true,true,false,false,false,false
+opencanary,strong_candidate,false,true,true,false,false,false,false
+panw,strong_candidate,false,true,true,true,false,false,true
+pfsense,strong_candidate,false,true,true,false,false,false,false
+ping_federate,strong_candidate,false,true,false,false,false,false,false
+prisma_access,strong_candidate,false,true,true,true,false,false,true
+proofpoint_on_demand,strong_candidate,false,false,false,true,false,false,false
+sentinel_one_cloud_funnel,strong_candidate,false,true,true,false,false,false,false
+sonicwall_firewall,strong_candidate,false,true,true,false,false,false,false
+sophos,strong_candidate,false,true,true,true,false,true,false
+sophos_central,strong_candidate,false,false,true,true,false,false,true
+splunk,strong_candidate,false,false,true,true,false,false,false
+spycloud,strong_candidate,false,true,false,false,false,true,false
+squid,strong_candidate,false,false,true,true,false,false,false
+stormshield,strong_candidate,false,true,true,false,false,false,false
+sublime_security,strong_candidate,false,true,false,true,false,false,true
+suricata,strong_candidate,false,true,true,false,false,true,true
+swimlane,strong_candidate,false,true,false,true,false,true,false
+symantec_endpoint,strong_candidate,false,true,true,false,false,false,false
+sysmon_linux,strong_candidate,false,true,true,false,false,false,true
+teleport,strong_candidate,false,true,true,false,false,true,true
+trellix_epo_cloud,strong_candidate,false,true,true,true,false,true,false
+trendmicro,strong_candidate,false,true,true,true,false,true,true
+tychon,strong_candidate,false,true,true,false,false,true,false
+watchguard_firebox,strong_candidate,false,true,true,true,false,true,false
+zscaler_zia,strong_candidate,false,true,true,false,false,false,false
diff --git a/dev/target-fields-audit/out/security/target_enhancement_report.md b/dev/target-fields-audit/out/security/target_enhancement_report.md
new file mode 100644
index 00000000000..3c51b23a32c
--- /dev/null
+++ b/dev/target-fields-audit/out/security/target_enhancement_report.md
@@ -0,0 +1,72 @@
+# ECS target semantics — enhancement opportunity report
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-20T08:56:50Z
+- **packages scanned:** 273
+
+- **filter:** Only integrations whose root `packages/<name>/manifest.yml` includes the `security` category.
+
+- **audit CSV used:** `dev/target-fields-audit/out/security/target_fields_audit.csv` (Tier A ECS `*.target.*` packages: 28)
+
+## What this report is (and is not)
+
+**Is:** A static, heuristic pass over this repository only — ingest pipeline YAML,
+pipeline `*expected.json` fixtures (truncated for very large files), and `docs/**/*.md`.
+Signals are meant to suggest where vendor logs *might* describe a second party
+(user/host/service/resource) that could be modeled as ECS **target** fields or
+**`entity.target.*`** when classification is unclear.
+
+**Is not:** Log volume, production field population, or vendor API guarantees.
+Each row still needs product/security review before changing mappings.
+
+## Method — signal definitions
+
+| Signal | Meaning |
+| --- | --- |
+| `pipeline_dest_identity` | Pipeline references `destination.user`, `destination.host`, `destination.domain`, etc. |
+| `pipeline_dest_network` | Pipeline references `destination.ip`, `destination.address`, ports/geo/bytes (common in flow logs). |
+| `pipeline_actor` | `principal`, `victim`, `impersonat`, `protoPayload.authentication`, `source.user`, etc. (not `related.*`) |
+| `pipeline_entity_other` | `entity.id` / `entity.name` / `entity.type` (not already `entity.target.*`). |
+| `fixture_strong` | Pipeline expected JSON contains destination identity, ECS `*.target.*`, or JSON keys containing `target`. |
+| `docs_lexicon` | Docs mention “target user/host”, “affected user”, “principal”, “victim”, etc. |
+
+## Priority labels (per package)
+
+| Label | Rule |
+| --- | --- |
+| `already_maps_ecs_target` | Listed with Tier A hits for `host|user|service|entity.target.*` in the audit CSV. |
+| `strong_candidate` | Not already mapped **and** (`pipeline_dest_identity` **or** `pipeline_actor`). |
+| `moderate_candidate` | Not stronger **and** (`fixture_strong` **or** `pipeline_entity_other`). |
+| `moderate_candidate_network_dest` | Not stronger **and** only `pipeline_dest_network` among pipeline/fixture signals. |
+| `exploratory_docs` | Not above **and** `docs_lexicon` only. |
+| `none` | No heuristic signal. |
+
+## Counts
+
+| Priority | Packages | Share of scanned |
+| --- | ---: | ---: |
+| Already maps ECS target (Tier A audit) | 28 | 10.3% |
+| **Strong enhancement candidate** | 59 | 21.6% |
+| Moderate (fixtures / generic entity) | 48 | 17.6% |
+| Moderate (network `destination.*` only) | 38 | 13.9% |
+| Exploratory (documentation phrasing only) | 6 | 2.2% |
+| No signal | 94 | 34.4% |
+
+### Interpretation
+
+- **Already using ECS target fields in pipelines (audit):** 28 / 273 packages.
+- **Packages we would revisit first for new target mappings:** **59** strong candidates.
+- **Broader backlog (includes weaker / noisier signals):** **151** packages (strong + moderate + moderate_network_only + exploratory), i.e. anything not `none` and not already mapped.
+- If you only trust identity/actor-style pipeline evidence, focus on the **59** strong bucket first, then selectively pull from **48** moderate cases after reviewing fixtures.
+
+**Note:** `strong_candidate` is an **upper bound**. Some regex matches (e.g. `destination.host` in pure flow telemetry) reflect common ECS patterns without always implying a distinct “target” entity for SIEM. Use [`target_enhancement_packages.csv`](target_enhancement_packages.csv) to triage by toggling signals off in a spreadsheet filter.
+
+## Machine-readable output
+
+- Per-package flags: [`target_enhancement_packages.csv`](target_enhancement_packages.csv)
+
+## Follow-ups (not automated here)
+
+- Vendor-specific field dictionaries (OCSF, ASIM, raw vendor `target*`) → ECS mapping tables.
+- Runtime sampling / simulate ingest to confirm population rates.
+- When entity type is unknown, map remaining attributes to **`entity.target.*`** per your placeholder rule.
diff --git a/dev/target-fields-audit/out/security/target_fields_audit.csv b/dev/target-fields-audit/out/security/target_fields_audit.csv
new file mode 100644
index 00000000000..4b24f72864f
--- /dev/null
+++ b/dev/target-fields-audit/out/security/target_fields_audit.csv
@@ -0,0 +1,1794 @@
+tier,package,data_stream,file,line,matched_prefix,snippet
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,159,user.target.,field: user.target.domain
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,164,user.target.,field: user.target.email
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,175,user.target.,field: user.target.full_name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,191,user.target.,field: user.target.group.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,201,user.target.,field: user.target.group.name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,206,user.target.,field: user.target.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,217,user.target.,field: user.target.name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,6,user.target.,field: user.target.domain
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,11,user.target.,field: user.target.email
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,22,user.target.,field: user.target.full_name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,38,user.target.,field: user.target.group.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,48,user.target.,field: user.target.group.name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,53,user.target.,field: user.target.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,64,user.target.,field: user.target.name
+C,amazon_security_lake,,packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json,7,user.target.,"""panelsJSON"": ""{\""7074e9a5-6114-4da7-bcda-8104441487c1\"":{\""type\"":\""optionsListControl\"",\""order\"":0,\""grow\"":true,\""width\"":\""medium\"",\""explicitInput\"":{\""id\"":\""7074e9a5-6114-4da7-bcda-8104441487c1\"",\""fieldName\"":\""user.target.name\..."
+C,amazon_security_lake,,packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json,2126,user.target.,"""sourceField"": ""user.target.name"""
+C,amazon_security_lake,,packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json,2734,user.target.,"""sourceField"": ""user.target.name"""
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,381,user.target.,"ctx.user.target.put(""group"", map);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,391,user.target.,"ctx.user.target.group.put(""name"", ctx.bitbucket?.audit?.affected_objects[j]?.name);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,392,user.target.,"ctx.user.target.group.put(""id"", ctx.bitbucket?.audit?.affected_objects[j]?.id);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,397,user.target.,"ctx.user.target.put(""name"", ctx.bitbucket?.audit?.affected_objects[j]?.name);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,398,user.target.,"ctx.user.target.put(""id"", ctx.bitbucket?.audit?.affected_objects[j]?.id);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,408,user.target.,"ctx.user.target.put(""name"", ctx.bitbucket?.audit?.changed_values[j]?.from);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,420,user.target.,value: '{{{user.target.name}}}'
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,320,user.target.,"ctx.user.target.put(""group"", map);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,339,user.target.,"ctx.user.target.group.put(""name"", group_name);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,340,user.target.,"ctx.user.target.group.put(""id"", group_id);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,345,user.target.,"ctx.user.target.put(""full_name"", ctx.confluence?.audit?.affected_objects[j]?.name);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,346,user.target.,"ctx.user.target.put(""id"", ctx.confluence?.audit?.affected_objects[j]?.id);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,350,user.target.,"ctx.user.target.put(""name"", m.group(1));"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,355,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.affected_objects[j]?.name);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,356,user.target.,"ctx.user.target.put(""id"", ctx.confluence?.audit?.affected_objects[j]?.id);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,376,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,382,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.changed_values[j]?.to);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,384,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,389,user.target.,"ctx.user.target.put(""email"", ctx.confluence?.audit?.changed_values[j]?.to);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,391,user.target.,"ctx.user.target.put(""email"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,396,user.target.,"ctx.user.target.put(""full_name"", ctx.confluence?.audit?.changed_values[j]?.to);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,398,user.target.,"ctx.user.target.put(""full_name"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,411,user.target.,value: '{{{user.target.name}}}'
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,360,user.target.,"ctx.user.target.put(""group"", map);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,369,user.target.,"ctx.user.target.group.put(""name"", ctx.jira?.audit?.affected_objects[j]?.name);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,370,user.target.,"ctx.user.target.group.put(""id"", ctx.jira?.audit?.affected_objects[j]?.id);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,375,user.target.,"ctx.user.target.put(""name"", ctx.jira?.audit?.affected_objects[j]?.name);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,376,user.target.,"ctx.user.target.put(""id"", ctx.jira?.audit?.affected_objects[j]?.id);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,386,user.target.,"ctx.user.target.put(""name"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,393,user.target.,"ctx.user.target.put(""name"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,399,user.target.,"ctx.user.target.put(""email"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,405,user.target.,"ctx.user.target.put(""full_name"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,418,user.target.,value: '{{{user.target.name}}}'
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,84,user.target.,name: user.target.group.id
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,86,user.target.,name: user.target.group.name
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,88,user.target.,name: user.target.id
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,90,user.target.,name: user.target.name
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,73,user.target.,- name: user.target.id
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,75,user.target.,- name: user.target.name
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,81,user.target.,- name: user.target.group.id
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,83,user.target.,- name: user.target.group.name
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,934,user.target.,"field(""user.target.entity.id"").set(userTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,937,host.target.,"field(""host.target.entity.id"").set(hostTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,941,service.target.,"field(""service.target.entity.id"").set(serviceTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,944,entity.target.,"field(""entity.target.id"").set(genericTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1934,user.target.,field: user.target.id
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1946,user.target.,field: user.target.name
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,entity.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,host.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,service.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,user.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,643,user.target.,field: user.target.full_name
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,648,user.target.,field: user.target.email
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,658,user.target.,field: user.target.name
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,662,user.target.,field: user.target.domain
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,667,user.target.,target_field: user.target.id
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,672,user.target.,value: '{{{user.target.email}}}'
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,673,user.target.,if: ctx.user?.target?.email != null && ctx.user.target.email != ''
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,677,user.target.,value: '{{{user.target.full_name}}}'
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,678,user.target.,if: ctx.user?.target?.full_name != null && ctx.user.target.full_name != ''
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,938,user.target.,field: user.target.full_name
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,945,user.target.,value: '{{{user.target.full_name}}}'
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,954,user.target.,field: user.target.email
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,961,user.target.,value: '{{{user.target.email}}}'
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,970,user.target.,field: user.target.id
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,977,user.target.,value: '{{{user.target.id}}}'
+C,canva,,packages/canva/kibana/dashboard/canva-062b09b1-072e-4582-bc50-61cfb47f4dc1.json,282,user.target.,"""sourceField"": ""user.target.id"""
+A,cisco_duo,admin,packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,147,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1635,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1663,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1668,user.target.,if: (ctx.user?.target?.name == null || ctx.user.target.name == '') && ctx.event?.action == 'SudoCommandAttempt'
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1669,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1674,user.target.,field: user.target.id
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1680,user.target.,field: user.target.id
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1707,user.target.,value: '{{{user.target.name}}}'
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,545,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,561,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,577,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,592,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,637,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,654,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,669,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,684,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,695,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,706,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,717,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,728,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,739,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,1114,user.target.,value: '{{{user.target.name}}}'
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,139,user.target.,name: user.target.group.id
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,141,user.target.,name: user.target.group.name
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,143,user.target.,name: user.target.id
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,145,user.target.,name: user.target.name
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,308,host.target.,"addNestedValue(ctx, ""host.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,313,service.target.,"addNestedValue(ctx, ""service.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,319,user.target.,"addNestedValue(ctx, ""user.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,343,service.target.,"addNestedValue(ctx, ""service.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,347,entity.target.,"addNestedValue(ctx, ""entity.target.id"", target);"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,38,user.target.,"Use type-specific fields instead: user.target.entity.id for IAM principals,"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,39,host.target.,"service.target.entity.id for GCP service resources, host.target.entity.id"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,39,service.target.,"service.target.entity.id for GCP service resources, host.target.entity.id"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,40,entity.target.,"for compute instances, or entity.target.id for other types."
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,94,user.target.,target_field: user.target.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,98,user.target.,"value: ""{{{user.target.name}}}"""
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,123,user.target.,field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,133,user.target.,field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,139,user.target.,target_field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,143,user.target.,target_field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,258,user.target.,field: user.target.id
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,268,user.target.,field: user.target.id
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,37,user.target.,"""fieldName"": ""user.target.name"","
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,433,user.target.,"""field"": ""user.target.name"""
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,439,user.target.,"""key"": ""user.target.name"","
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,621,user.target.,"""field"": ""user.target.name"""
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,627,user.target.,"""key"": ""user.target.name"","
+C,github,,packages/github/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json,37,user.target.,"""fieldName"": ""user.target.name"","
+C,github,,packages/github/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json,5,user.target.,"""user.target.name"","
+C,github,,packages/github/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json,40,user.target.,"""field"": ""user.target.name"""
+C,github,,packages/github/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json,46,user.target.,"""key"": ""user.target.name"","
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1306,user.target.,ctx.user.target.name = splitmail[0];
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1307,user.target.,ctx.user.target.domain = splitmail[1];
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1308,user.target.,ctx.user.target.email = ctx.google_workspace.admin.user.email;
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1310,user.target.,field: user.target.group.name
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1314,user.target.,field: user.target.group.domain
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1357,user.target.,"value: ""{{{user.target.name}}}"""
+A,google_workspace,calendar,packages/google_workspace/data_stream/calendar/elasticsearch/ingest_pipeline/default.yml,410,user.target.,field: user.target.email
+A,google_workspace,calendar,packages/google_workspace/data_stream/calendar/elasticsearch/ingest_pipeline/default.yml,540,user.target.,field: user.target.email
+A,google_workspace,chat,packages/google_workspace/data_stream/chat/elasticsearch/ingest_pipeline/default.yml,378,user.target.,field: user.target.email
+A,google_workspace,data_studio,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,314,user.target.,field: user.target.domain
+A,google_workspace,data_studio,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,319,user.target.,field: user.target.email
+A,google_workspace,data_studio,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,332,user.target.,pattern: '%{user.target.name}@%{user.target.domain}'
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,296,user.target.,ctx.user.target.name = splitmail[0];
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,297,user.target.,ctx.user.target.domain = splitmail[1];
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,298,user.target.,ctx.user.target.email = ctx.google_workspace.groups.member.email;
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,300,user.target.,field: user.target.group.name
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,304,user.target.,field: user.target.group.domain
+A,google_workspace,login,packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml,284,user.target.,ctx.user.target.name = splitmail[0];
+A,google_workspace,login,packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml,285,user.target.,ctx.user.target.domain = splitmail[1];
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,948,user.target.,field: user.target.email
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,953,user.target.,field: user.target.name
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,955,user.target.,copy_from: user.target.email
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,958,user.target.,field: user.target.email
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,960,user.target.,if: ctx.user?.target?.email != null && ctx.user.target.email.contains('@')
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,961,user.target.,pattern: '%{}@%{user.target.domain}'
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,995,user.target.,value: '{{{user.target.email}}}'
+A,google_workspace,vault,packages/google_workspace/data_stream/vault/elasticsearch/ingest_pipeline/default.yml,460,user.target.,field: user.target.email
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,86,user.target.,name: user.target.group.domain
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,88,user.target.,name: user.target.group.id
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,90,user.target.,name: user.target.group.name
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,92,user.target.,name: user.target.name
+A,hpe_aruba_cx,log,packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3030,service.target.,"- ""^(Starting update|Update successful) for %{DATA:aruba.system.devicespec} from version %{DATA:service.version} to version %{GREEDYDATA:service.target.version}"""
+B,hpe_aruba_cx,log,packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml,112,service.target.,name: service.target.version
+A,keycloak,log,packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml,159,user.target.,- 'users/%{UUID:user.target.id}'
+A,keycloak,log,packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml,231,user.target.,"value: ""{{{user.target.id}}}"""
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,127,user.target.,target_field: user.target.id
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,131,user.target.,target_field: user.target.name
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,135,user.target.,target_field: user.target.roles
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,138,user.target.,field: user.target.roles
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,143,user.target.,target_field: user.target.id
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,157,user.target.,target_field: user.target.id
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,347,user.target.,if (ctx.user.target.group == null) {
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,349,user.target.,"ctx.user.target.put(""group"", map);"
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,352,user.target.,if(ctx.user.target.name != ctx.mattermost?.audit?.patch?.name) {
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,359,user.target.,"ctx.user.target.group.put(""name"", ctx.mattermost?.audit?.team?.name);"
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,360,user.target.,"ctx.user.target.group.put(""id"", ctx.mattermost?.audit?.team?.id);"
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,379,user.target.,value: '{{{user.target.id}}}'
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,383,user.target.,field: user.target.id
+C,mattermost,,packages/mattermost/kibana/dashboard/mattermost-55a753ac-7944-4a4e-ad5b-a7418b1a1543.json,652,user.target.,"""sourceField"": ""user.target.name"""
+A,microsoft_sqlserver,audit,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1227,user.target.,field: user.target.name
+A,microsoft_sqlserver,audit,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1230,user.target.,field: user.target.id
+A,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,153,user.target.,- '(?i)(?:CREATE|DROP)\s+USER(?:\s+IF\s+(?:NOT\s+)?EXISTS)?\s+(?:%{START_QUOTE}%{QUOTED:user.target.name}%{END_QUOTE}|%{UNQUOTED:user.target.name})(?:@(?:%{START_QUOTE}%{QUOTED:user.target.domain}%{END_QUOTE}|%{UNQUOTED:user.target.domai...
+A,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,215,user.target.,"value: ""{{{user.target.name}}}"""
+B,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/fields/ecs.yml,42,user.target.,name: user.target.name
+B,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/fields/ecs.yml,44,user.target.,name: user.target.domain
+A,netskope,alerts_events_v2,packages/netskope/data_stream/alerts_events_v2/elasticsearch/ingest_pipeline/pipeline_events_v2.yml,882,user.target.,field: user.target.email
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,682,user.target.,field: user.target.id
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1290,user.target.,target_field: user.target.id
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1413,user.target.,"String[] splitmail = ctx.user.target.id.splitOnToken(""@"");"
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1417,user.target.,ctx.user.target.email = ctx.user.target.id;
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1418,user.target.,ctx.user.target.domain = splitmail[1];
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1419,user.target.,ctx.user.target.name = splitmail[0];
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1475,user.target.,"value: ""{{{user.target.name}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2242,user.target.,"value: ""{{{user.target.id}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2248,user.target.,"value: ""{{{user.target.email}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2280,user.target.,"value: ""{{{user.target.domain}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2282,user.target.,if: ctx.user?.target?.domain != null && ctx.user.target.domain != ctx.user?.domain
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,539,user.target.,field: user.target.full_name
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,543,user.target.,field: user.target.id
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,547,user.target.,field: user.target.email
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,551,user.target.,field: user.target.group.name
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,555,user.target.,field: user.target.group.id
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,595,user.target.,"value: ""{{{user.target.full_name}}}"""
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,273,host.target.,name: host.target.disk.read.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,275,host.target.,name: host.target.disk.write.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,277,host.target.,name: host.target.entity.last_seen_timestamp
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,279,host.target.,name: host.target.ip
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,281,host.target.,name: host.target.network.egress.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,283,host.target.,name: host.target.network.egress.packets
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,285,host.target.,name: host.target.network.ingress.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,287,host.target.,name: host.target.network.ingress.packets
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,289,host.target.,name: host.target.risk.calculated_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,291,host.target.,name: host.target.risk.calculated_score_norm
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,293,host.target.,name: host.target.risk.static_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,295,host.target.,name: host.target.risk.static_score_norm
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,297,host.target.,name: host.target.uptime
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,651,service.target.,name: service.target.entity.last_seen_timestamp
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,935,user.target.,name: user.target.entity.last_seen_timestamp
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,937,user.target.,name: user.target.risk.calculated_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,939,user.target.,name: user.target.risk.calculated_score_norm
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,941,user.target.,name: user.target.risk.static_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,943,user.target.,name: user.target.risk.static_score_norm
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,586,user.target.,"""user.target.full_name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,587,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,627,user.target.,"""user.target.full_name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,628,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,668,user.target.,"""user.target.full_name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,669,user.target.,"""user.target.group.name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,711,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,751,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,829,user.target.,"""user.target.group.name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,869,user.target.,"""user.target.group.name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,909,user.target.,"""user.target.group.name"","
+A,qnap_nas,log,packages/qnap_nas/data_stream/log/elasticsearch/ingest_pipeline/default.yml,78,user.target.,"- '^\[Users\] %{USER_EVENTS} ""%{DATA:user.target.name}""\.$'"
+B,qnap_nas,log,packages/qnap_nas/data_stream/log/fields/ecs.yml,60,user.target.,name: user.target.name
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1270,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1275,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1280,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1285,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1290,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1295,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1300,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1305,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2480,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2485,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2490,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2495,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2500,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2505,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2510,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2515,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2520,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2525,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2530,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2535,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2540,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2545,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2550,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2555,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2560,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2565,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2570,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2575,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2580,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2585,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2590,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2595,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2600,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2605,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2610,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2615,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2620,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2625,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2630,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2635,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2640,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2645,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2650,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2655,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2660,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2665,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2670,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2675,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2680,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2685,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2690,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2695,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2700,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2705,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2710,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2715,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2720,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2725,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5625,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5630,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5635,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5640,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5645,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5650,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5655,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5660,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5665,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5670,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5675,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5680,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5685,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5690,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5695,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5700,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5705,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5710,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5715,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7790,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7795,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7800,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7805,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7810,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7815,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7820,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7825,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7830,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7835,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7840,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7845,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7850,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7855,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7860,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7865,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7870,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7875,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7880,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7885,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7890,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7895,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7900,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7905,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1260,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1265,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1270,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1275,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1280,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1285,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1290,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1295,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2470,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2475,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2480,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2485,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2490,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2495,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2500,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2505,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2510,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2515,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2520,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2525,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2530,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2535,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2540,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2545,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2550,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2555,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2560,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2565,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2570,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2575,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2580,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2585,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2590,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2595,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2600,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2605,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2610,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2615,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2620,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2625,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2630,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2635,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2640,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2645,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2650,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2655,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2660,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2665,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2670,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2675,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2680,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2685,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2690,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2695,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2700,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2705,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2710,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2715,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5615,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5620,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5625,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5630,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5635,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5640,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5645,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5650,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5655,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5660,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5665,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5670,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5675,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5680,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5685,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5690,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5695,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5700,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5705,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7780,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7785,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7790,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7795,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7800,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7805,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7810,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7815,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7820,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7825,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7830,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7835,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7840,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7845,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7850,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7855,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7860,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7865,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7870,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7875,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7880,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7885,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7890,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7895,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_118.json,14,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use o..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_119.json,14,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use o..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_120.json,14,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use o..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1285,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1290,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1295,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1300,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1305,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1310,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1315,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1320,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2530,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2535,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2540,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2545,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2550,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2555,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2560,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2565,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2570,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2575,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2580,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2585,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2590,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2595,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2600,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2605,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2610,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2615,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2620,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2625,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2630,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2635,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2640,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2645,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2650,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2655,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2660,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2665,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2670,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2675,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2680,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2685,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2690,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2695,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2700,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2705,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2710,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2715,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2720,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2725,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2730,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2735,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2740,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2745,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2750,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2755,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2760,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2765,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2770,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2775,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6365,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6370,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6375,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6380,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6385,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6390,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6395,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6400,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6405,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6410,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6415,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6420,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6425,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6430,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6435,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6440,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6445,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6450,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6455,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8560,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8565,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8570,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8575,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8580,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8585,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8590,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8595,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8600,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8605,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8610,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8615,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8620,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8625,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8630,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8635,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8640,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8645,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8650,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8655,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8660,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8665,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8670,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8675,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_213.json,24,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_214.json,24,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_215.json,24,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2915,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2920,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2925,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2930,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2935,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2940,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2945,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2950,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2955,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2960,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4380,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4385,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4390,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4395,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4400,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4405,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4410,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4415,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4420,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4425,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4430,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4435,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4440,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4445,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4450,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4455,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4460,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4465,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4470,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4475,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4480,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4485,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4490,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4495,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4500,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4505,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4510,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4515,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4520,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4525,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4530,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4535,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4540,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4545,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4550,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4555,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4560,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4565,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4570,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4575,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4580,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4585,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4590,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4595,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4600,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4605,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4610,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4615,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4620,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4625,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4630,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4635,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4640,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4645,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8960,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8965,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8970,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8975,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8980,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8985,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8990,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8995,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9000,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9005,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9010,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9015,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9020,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9025,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9030,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9035,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9040,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9045,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9050,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9055,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9060,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11435,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11440,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11445,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11450,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11455,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11460,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11465,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11470,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11475,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11480,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11485,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11490,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11495,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11500,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11505,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11510,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11515,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11520,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11525,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11530,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11535,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11540,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11545,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11550,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11555,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11560,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11565,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11570,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2910,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2915,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2920,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2925,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2930,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2935,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2940,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2945,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2950,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2955,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4375,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4380,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4385,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4390,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4395,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4400,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4405,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4410,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4415,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4420,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4425,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4430,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4435,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4440,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4445,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4450,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4455,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4460,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4465,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4470,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4475,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4480,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4485,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4490,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4495,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4500,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4505,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4510,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4515,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4520,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4525,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4530,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4535,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4540,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4545,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4550,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4555,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4560,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4565,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4570,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4575,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4580,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4585,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4590,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4595,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4600,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4605,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4610,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4615,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4620,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4625,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4630,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4635,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4640,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8955,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8960,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8965,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8970,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8975,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8980,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8985,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8990,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8995,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9000,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9005,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9010,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9015,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9020,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9025,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9030,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9035,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9040,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9045,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9050,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9055,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11430,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11435,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11440,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11445,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11450,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11455,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11460,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11465,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11470,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11475,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11480,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11485,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11490,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11495,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11500,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11505,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11510,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11515,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11520,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11525,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11530,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11535,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11540,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11545,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11550,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11555,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11560,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11565,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles ca..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,20,user.target.,"""query"": ""iam where event.dataset == \""google_workspace.admin\"" and event.action == \""ADD_GROUP_MEMBER\"" and\n  not endsWith(user.target.email, user.target.group.domain)\n"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,45,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,50,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles ca..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,20,user.target.,"""query"": ""iam where event.dataset == \""google_workspace.admin\"" and event.action == \""ADD_GROUP_MEMBER\"" and\n  not endsWith(user.target.email, user.target.group.domain)\n"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,45,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,50,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles ca..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,20,user.target.,"""query"": ""iam where data_stream.dataset == \""google_workspace.admin\"" and event.action == \""ADD_GROUP_MEMBER\"" and\n  not endsWith(user.target.email, user.target.group.domain)\n"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,45,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,50,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the pri..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_210.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the pri..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_211.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the pri..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_11.json,20,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_11.json,33,user.target.,"""query"": ""from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where event.dataset == \""aws.cloudtrail\""\n    and event.provider == \""iam.amazonaws.com\""\n    and event.action == \""CreateAccessKey\""\n    and event.outcome == \""su..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_11.json,199,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_12.json,20,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_12.json,33,user.target.,"""query"": ""from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where event.dataset == \""aws.cloudtrail\""\n    and event.provider == \""iam.amazonaws.com\""\n    and event.action == \""CreateAccessKey\""\n    and event.outcome == \""su..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_12.json,199,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json,20,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json,33,user.target.,"""query"": ""from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where data_stream.dataset == \""aws.cloudtrail\""\n    and event.provider == \""iam.amazonaws.com\""\n    and event.action == \""CreateAccessKey\""\n    and event.outcome =..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json,199,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1242,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1247,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1252,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1257,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1262,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1267,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1272,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1277,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2472,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2477,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2482,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2487,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2492,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2497,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2502,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2507,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2512,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2517,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2522,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2527,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2532,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2537,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2542,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2547,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2552,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2557,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2562,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2567,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2572,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2577,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2582,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2587,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2592,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2597,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2602,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2607,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2612,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2617,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2622,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2627,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2632,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2637,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2642,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2647,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2652,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2657,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2662,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2667,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2672,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2677,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2682,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2687,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2692,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2697,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2702,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2707,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2712,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2717,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6152,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6157,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6162,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6167,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6172,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6177,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6182,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6187,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6192,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6197,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6202,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6207,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6212,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6217,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6222,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6227,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6232,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6237,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6242,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8332,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8337,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8342,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8347,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8352,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8357,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8362,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8367,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8372,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8377,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8382,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8387,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8392,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8397,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8402,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8407,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8412,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8417,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8422,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8427,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8432,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8437,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8442,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8447,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_213.json,14,user.target.,"""note"": ""## Triage and Analysis\n\n### Investigating M365 Identity Global Administrator Role Assigned\n\nThe Microsoft 365 Global Administrator role grants comprehensive administrative access across Entra ID and services such as Microsof..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_214.json,14,user.target.,"""note"": ""## Triage and Analysis\n\n### Investigating M365 Identity Global Administrator Role Assigned\n\nThe Microsoft 365 Global Administrator role grants comprehensive administrative access across Entra ID and services such as Microsof..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_215.json,14,user.target.,"""note"": ""## Triage and Analysis\n\n### Investigating M365 Identity Global Administrator Role Assigned\n\nThe Microsoft 365 Global Administrator role grants comprehensive administrative access across Entra ID and services such as Microsof..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_10.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_8.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_9.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_2.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_3.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_4.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,6,entity.target.,"""description"": ""Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role...."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,25,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,39,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,41,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,6,entity.target.,"""description"": ""Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role...."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,25,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,39,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,41,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,6,entity.target.,"""description"": ""Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role...."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,25,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,39,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,41,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1238,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1243,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1248,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1253,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1258,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1263,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1268,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1273,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2433,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2438,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2443,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2448,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2453,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2458,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2463,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2468,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2473,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2478,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2483,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2488,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2493,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2498,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2503,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2508,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2513,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2518,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2523,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2528,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2533,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2538,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2543,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2548,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2553,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2558,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2563,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2568,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2573,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2578,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2583,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2588,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2593,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2598,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2603,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2608,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2613,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2618,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2623,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2628,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2633,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2638,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2643,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2648,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2653,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2658,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2663,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2668,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2673,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2678,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5508,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5513,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5518,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5523,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5528,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5533,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5538,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5543,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5548,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5553,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5558,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5563,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5568,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5573,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5578,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5583,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5588,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5593,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5598,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7658,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7663,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7668,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7673,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7678,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7683,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7688,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7693,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7698,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7703,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7708,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7713,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7718,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7723,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7728,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7733,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7738,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7743,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7748,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7753,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7758,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7763,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7768,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7773,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1238,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1243,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1248,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1253,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1258,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1263,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1268,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1273,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2433,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2438,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2443,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2448,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2453,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2458,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2463,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2468,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2473,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2478,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2483,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2488,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2493,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2498,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2503,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2508,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2513,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2518,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2523,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2528,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2533,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2538,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2543,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2548,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2553,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2558,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2563,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2568,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2573,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2578,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2583,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2588,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2593,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2598,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2603,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2608,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2613,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2618,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2623,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2628,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2633,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2638,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2643,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2648,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2653,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2658,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2663,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2668,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2673,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2678,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5508,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5513,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5518,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5523,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5528,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5533,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5538,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5543,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5548,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5553,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5558,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5563,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5568,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5573,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5578,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5583,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5588,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5593,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5598,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7658,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7663,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7668,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7673,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7678,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7683,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7688,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7693,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7698,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7703,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7708,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7713,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7718,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7723,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7728,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7733,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7738,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7743,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7748,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7753,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7758,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7763,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7768,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7773,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_110.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_111.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_417.json,18,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_418.json,18,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_419.json,18,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2911,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2916,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2921,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2926,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2931,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2936,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2941,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2946,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2951,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2956,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4381,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4386,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4391,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4396,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4401,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4406,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4411,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4416,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4421,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4426,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4431,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4436,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4441,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4446,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4451,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4456,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4461,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4466,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4471,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4476,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4481,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4486,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4491,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4496,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4501,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4506,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4511,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4516,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4521,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4526,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4531,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4536,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4541,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4546,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4551,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4556,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4561,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4566,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4571,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4576,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4581,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4586,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4591,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4596,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4601,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4606,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4611,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4616,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4621,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4626,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4631,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4636,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4641,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4646,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8966,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8971,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8976,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8981,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8986,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8991,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8996,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9001,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9006,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9011,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9016,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9021,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9026,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9031,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9036,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9041,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9046,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9051,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9056,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9061,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9066,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11441,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11446,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11451,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11456,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11461,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11466,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11471,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11476,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11481,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11486,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11491,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11496,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11501,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11506,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11511,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11516,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11521,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11526,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11531,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11536,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11541,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11546,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11551,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11556,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11561,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11566,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11571,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11576,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2906,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2911,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2916,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2921,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2926,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2931,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2936,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2941,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2946,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2951,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4376,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4381,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4386,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4391,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4396,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4401,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4406,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4411,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4416,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4421,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4426,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4431,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4436,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4441,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4446,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4451,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4456,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4461,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4466,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4471,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4476,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4481,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4486,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4491,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4496,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4501,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4506,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4511,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4516,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4521,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4526,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4531,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4536,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4541,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4546,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4551,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4556,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4561,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4566,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4571,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4576,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4581,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4586,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4591,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4596,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4601,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4606,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4611,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4616,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4621,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4626,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4631,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4636,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4641,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8961,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8966,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8971,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8976,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8981,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8986,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8991,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8996,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9001,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9006,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9011,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9016,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9021,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9026,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9031,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9036,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9041,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9046,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9051,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9056,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9061,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11436,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11441,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11446,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11451,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11456,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11461,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11466,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11471,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11476,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11481,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11486,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11491,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11496,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11501,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11506,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11511,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11516,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11521,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11526,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11531,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11536,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11541,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11546,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11551,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11556,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11561,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11566,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11571,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1344,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1349,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1354,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1359,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1364,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1369,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1374,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1379,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1384,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1389,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3009,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3014,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3019,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3024,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3029,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3034,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3039,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3044,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3049,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3054,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3059,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3064,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3069,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3074,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3079,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3084,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3089,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3094,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3099,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3104,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3109,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3114,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3119,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3124,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3129,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3134,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3139,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3144,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3149,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3154,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3159,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3164,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3169,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3174,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3179,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3184,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3189,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3194,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3199,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3204,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3209,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3214,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3219,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3224,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3229,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3234,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3239,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3244,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3249,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3254,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3259,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3264,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3269,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3274,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6309,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6314,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6319,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6324,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6329,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6334,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6339,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6344,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6349,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6354,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6359,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6364,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6369,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6374,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6379,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6384,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6389,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6394,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6399,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6404,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6409,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8589,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8594,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8599,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8604,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8609,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8614,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8619,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8624,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8629,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8634,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8639,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8644,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8649,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8654,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8659,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8664,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8669,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8674,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8679,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8684,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8689,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8694,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8699,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8704,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8709,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8714,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8719,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8724,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1344,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1349,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1354,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1359,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1364,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1369,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1374,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1379,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1384,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1389,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3009,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3014,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3019,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3024,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3029,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3034,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3039,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3044,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3049,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3054,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3059,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3064,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3069,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3074,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3079,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3084,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3089,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3094,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3099,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3104,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3109,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3114,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3119,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3124,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3129,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3134,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3139,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3144,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3149,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3154,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3159,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3164,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3169,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3174,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3179,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3184,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3189,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3194,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3199,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3204,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3209,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3214,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3219,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3224,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3229,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3234,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3239,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3244,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3249,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3254,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3259,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3264,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3269,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3274,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6309,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6314,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6319,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6324,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6329,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6334,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6339,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6344,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6349,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6354,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6359,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6364,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6369,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6374,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6379,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6384,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6389,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6394,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6399,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6404,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6409,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8589,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8594,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8599,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8604,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8609,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8614,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8619,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8624,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8629,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8634,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8639,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8644,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8649,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8654,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8659,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8664,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8669,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8674,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8679,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8684,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8689,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8694,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8699,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8704,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8709,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8714,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8719,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8724,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1344,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1349,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1354,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1359,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1364,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1369,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1374,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1379,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1384,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1389,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3009,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3014,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3019,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3024,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3029,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3034,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3039,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3044,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3049,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3054,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3059,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3064,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3069,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3074,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3079,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3084,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3089,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3094,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3099,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3104,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3109,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3114,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3119,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3124,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3129,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3134,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3139,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3144,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3149,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3154,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3159,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3164,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3169,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3174,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3179,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3184,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3189,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3194,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3199,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3204,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3209,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3214,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3219,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3224,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3229,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3234,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3239,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3244,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3249,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3254,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3259,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3264,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3269,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3274,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6309,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6314,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6319,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6324,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6329,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6334,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6339,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6344,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6349,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6354,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6359,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6364,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6369,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6374,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6379,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6384,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6389,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6394,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6399,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6404,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6409,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8589,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8594,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8599,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8604,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8609,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8614,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8619,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8624,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8629,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8634,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8639,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8644,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8649,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8654,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8659,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8664,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8669,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8674,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8679,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8684,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8689,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8694,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8699,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8704,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8709,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8714,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8719,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8724,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,6,entity.target.,"""description"": ""Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS accoun..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,23,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,37,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,39,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Customer-Managed Policy Attached to Role by Rare User\n\nThis rule detects when a customer-managed IAM policy is attached to a role by an unusual or unauthorized user. This act..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,6,entity.target.,"""description"": ""Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS accoun..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,23,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,37,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,39,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Customer-Managed Policy Attached to Role by Rare User\n\nThis rule detects when a customer-managed IAM policy is attached to a role by an unusual or unauthorized user. This act..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,6,entity.target.,"""description"": ""Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS accoun..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,23,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,37,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,39,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Customer-Managed Policy Attached to Role by Rare User\n\nThis rule detects when a customer-managed IAM policy is attached to a role by an unusual or unauthorized user. This act..."
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,225,user.target.,name: user.target.group.domain
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,227,user.target.,name: user.target.group.id
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,229,user.target.,name: user.target.group.name
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,231,user.target.,name: user.target.name
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,317,user.target.,field: user.target.id
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,329,user.target.,field: user.target.name
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,335,user.target.,field: user.target.name
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,336,user.target.,target_field: user.target.email
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,338,user.target.,"if: ctx.user?.target?.name != null && ctx.user.target.name.indexOf(""@"") > 0"
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,340,user.target.,field: user.target.email
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,341,user.target.,pattern: '%{user.target.name}@%{user.target.domain}'
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,349,user.target.,value: '{{{user.target.name}}}'
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,355,user.target.,value: '{{{user.target.email}}}'
+A,trend_micro_vision_one,endpoint_activity,packages/trend_micro_vision_one/data_stream/endpoint_activity/elasticsearch/ingest_pipeline/default.yml,1150,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,167,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,168,user.target.,target_field: user.target.email
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,172,user.target.,field: user.target.email
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,173,user.target.,pattern: '%{user.target.name}@%{user.target.domain}'
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,180,user.target.,"value: ""{{{user.target.name}}}"""
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,186,user.target.,"value: ""{{{user.target.email}}}"""
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml,174,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,63,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,78,user.target.,field: user.target.id
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,44,user.target.,field: user.target.id
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,49,user.target.,value: '{{{user.target.id}}}'
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,87,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml,286,user.target.,field: user.target.name
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-74869ba0-bcb3-11ed-837c-8b9d01cca76e.json,203,user.target.,"""sourceField"": ""user.target.name"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-74869ba0-bcb3-11ed-837c-8b9d01cca76e.json,225,user.target.,"""sourceField"": ""user.target.id"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-ce341d40-b91f-11ed-a75d-1d76b4fe7223.json,121,user.target.,"""sourceField"": ""user.target.id"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-d517be50-bcbc-11ed-837c-8b9d01cca76e.json,204,user.target.,"""sourceField"": ""user.target.name"""
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3229,user.target.,//TargetUserSid to user.id or user.target.id
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3242,user.target.,"ctx.user.target.put(""id"", targetUserId);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3246,user.target.,//TargetUserName to related.user and user.name or user.target.name
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3260,user.target.,"ctx.user.target.put(""name"", tun[0]);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3274,user.target.,//TargetUserDomain to user.domain or user.target.domain
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3287,user.target.,"ctx.user.target.put(""domain"", ctx.winlog.event_data.TargetDomainName);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3330,user.target.,"ctx.user.target.put(""name"", memberName);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3336,user.target.,"ctx.user.target.put(""domain"", domain);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3371,user.target.,"ctx.user.target.put(""group"", hm);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3374,user.target.,"ctx.user.target.group.put(""id"", ctx.group.id);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3377,user.target.,"ctx.user.target.group.put(""name"", ctx.group.name);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3380,user.target.,"ctx.user.target.group.put(""domain"", ctx.group.domain);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3494,user.target.,"if (userId != null && userId != """" && userId != ""-"") ctx.user.target.id = userId;"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3497,user.target.,ctx.user.target.name = userName;
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3500,user.target.,ctx.user.target.name = parts[0];
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3506,user.target.,if (!ctx.related.user.contains(ctx.user.target.name)) {
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3507,user.target.,ctx.related.user.add(ctx.user.target.name);
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3511,user.target.,"if (userDomain != null && userDomain != """" && userDomain != ""-"") ctx.user.target.domain = userDomain;"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3512,user.target.,"if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove(""target"");"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3928,user.target.,field: user.target.name
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3963,user.target.,"description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3996,user.target.,"ctx.user.target.put(""name"", cnValue);"
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,281,user.target.,name: user.target.group.domain
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,283,user.target.,name: user.target.group.id
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,285,user.target.,name: user.target.group.name
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,287,user.target.,name: user.target.name
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,239,user.target.,name: user.target.group.domain
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,241,user.target.,name: user.target.group.id
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,243,user.target.,name: user.target.group.name
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,245,user.target.,name: user.target.name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,50,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,54,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,62,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,66,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,70,user.target.,field: user.target.full_name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,74,user.target.,field: user.target.name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,108,user.target.,"value: ""{{{user.target.id}}}"""
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,117,user.target.,# set user.target.* from old_values
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,120,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,124,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,128,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,132,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,136,user.target.,field: user.target.full_name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,141,user.target.,# set user.target.* from user.* without overriding old_values.
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,145,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,151,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,157,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,163,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,169,user.target.,field: user.target.full_name
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,231,user.target.,ctx.user.target.roles = new ArrayList();
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,233,user.target.,ctx.user.target.email = valuesMap?.email;
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,235,user.target.,ctx.user.target.roles.add(roles[i].name);
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,263,user.target.,ctx.user.target.id = valuesMap?.id;
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,264,user.target.,ctx.user.target.email = valuesMap?.email;
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,265,user.target.,ctx.user.target.name = valuesMap?.name;
diff --git a/dev/target-fields-audit/out/security/target_fields_audit_summary.md b/dev/target-fields-audit/out/security/target_fields_audit_summary.md
new file mode 100644
index 00000000000..859164d5cae
--- /dev/null
+++ b/dev/target-fields-audit/out/security/target_fields_audit_summary.md
@@ -0,0 +1,102 @@
+# ECS `*.target.*` audit summary
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-14T09:24:15Z
+- **integration packages scanned:** 273
+- **evidence rows (matches):** 1793
+
+- **filter:** Only integrations whose root `packages/<name>/manifest.yml` includes the `security` category (Elastic catalog tag).
+
+Prefixes scanned: `host.target.`, `user.target.`, `service.target.`, `entity.target.`
+
+## Confidence labels
+
+| Label | Meaning |
+| --- | --- |
+| **high** | At least one hit under **Tier A** (ingest pipeline YAML). Strongest signal that documents may receive these fields at ingest. |
+| **medium** | Hits only under **Tier B** (field YAML). Declared schema; not proof the pipeline populates it. |
+| **low** | Hits only under **Tier C** (Kibana JSON). Saved objects referencing field names; not ingest. |
+
+If a package has multiple tiers, the label reflects the **strongest** tier present.
+
+## Unique packages by tier and prefix
+
+### Tier A — Pipeline
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 2 |
+| user.target. | 27 |
+| service.target. | 3 |
+| entity.target. | 2 |
+
+### Tier B — Fields
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 3 |
+| user.target. | 11 |
+| service.target. | 4 |
+| entity.target. | 2 |
+
+### Tier C — Kibana JSON
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 1 |
+| user.target. | 7 |
+| service.target. | 1 |
+| entity.target. | 1 |
+
+## Tier A — unique (package, data_stream) pairs
+
+35
+
+## Integrations with hits — full list
+
+Every package under `packages/` that produced at least one evidence row, sorted by package name.
+
+| package | confidence | tiers | rows_A | rows_B | rows_C | prefixes_seen |
+| --- | --- | --- | --- | --- | --- | --- |
+| amazon_security_lake | high | A+C | 14 | 0 | 3 | user.target |
+| atlassian_bitbucket | high | A | 7 | 0 | 0 | user.target |
+| atlassian_confluence | high | A | 16 | 0 | 0 | user.target |
+| atlassian_jira | high | A | 10 | 0 | 0 | user.target |
+| auditd | medium | B | 0 | 4 | 0 | user.target |
+| auditd_manager | medium | B | 0 | 4 | 0 | user.target |
+| aws | high | A+B | 6 | 4 | 0 | host.target, user.target, service.target, entity.target |
+| box_events | high | A | 9 | 0 | 0 | user.target |
+| canva | high | A+C | 6 | 0 | 1 | user.target |
+| cisco_duo | high | A | 1 | 0 | 0 | user.target |
+| crowdstrike | high | A | 7 | 0 | 0 | user.target |
+| cyberarkpas | high | A | 14 | 0 | 0 | user.target |
+| fim | medium | B | 0 | 4 | 0 | user.target |
+| gcp | high | A+B | 5 | 4 | 0 | host.target, user.target, service.target, entity.target |
+| github | high | A+C | 8 | 0 | 9 | user.target |
+| google_workspace | high | A | 27 | 0 | 0 | user.target |
+| hid_bravura_monitor | medium | B | 0 | 4 | 0 | user.target |
+| hpe_aruba_cx | high | A+B | 1 | 1 | 0 | service.target |
+| keycloak | high | A | 2 | 0 | 0 | user.target |
+| mattermost | high | A+C | 13 | 0 | 1 | user.target |
+| microsoft_sqlserver | high | A | 2 | 0 | 0 | user.target |
+| mysql_enterprise | high | A+B | 2 | 2 | 0 | user.target |
+| netskope | high | A | 1 | 0 | 0 | user.target |
+| o365 | high | A | 11 | 0 | 0 | user.target |
+| okta | high | A | 6 | 0 | 0 | user.target |
+| osquery_manager | medium | B | 0 | 19 | 0 | host.target, user.target, service.target |
+| pad | low | C | 0 | 0 | 11 | user.target |
+| qnap_nas | high | A+B | 1 | 1 | 0 | user.target |
+| security_detection_engine | low | C | 0 | 0 | 1466 | host.target, user.target, service.target, entity.target |
+| sysmon_linux | medium | B | 0 | 4 | 0 | user.target |
+| tenable_io | high | A | 9 | 0 | 0 | user.target |
+| trend_micro_vision_one | high | A | 1 | 0 | 0 | user.target |
+| vectra_detect | high | A+C | 13 | 0 | 4 | user.target |
+| windows | high | A+B | 22 | 8 | 0 | user.target |
+| zoom | high | A | 19 | 0 | 0 | user.target |
+| zscaler_zpa | high | A | 6 | 0 | 0 | user.target |
+
+## Totals
+
+- **integration packages scanned:** 273
+- **unique packages with any hit:** 36
+- **unique packages with Tier A hit:** 28
diff --git a/dev/target-fields-audit/out/security/vendor_target_special_cases.csv b/dev/target-fields-audit/out/security/vendor_target_special_cases.csv
new file mode 100644
index 00000000000..d6e937c9656
--- /dev/null
+++ b/dev/target-fields-audit/out/security/vendor_target_special_cases.csv
@@ -0,0 +1,1643 @@
+package,data_stream,source,file,line,field_path,namespace_class,suggest_bucket
+1password,signin_attempts,ingest_pipeline,packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml,103,onepassword.target_user.email,other_vendor_or_nested,likely_user_target_or_entity
+1password,signin_attempts,ingest_pipeline,packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml,95,onepassword.target_user.name,other_vendor_or_nested,likely_user_target_or_entity
+1password,signin_attempts,ingest_pipeline,packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml,91,onepassword.target_user.uuid,other_vendor_or_nested,likely_user_target_or_entity
+airlock_digital,agent,ingest_pipeline,packages/airlock_digital/data_stream/agent/elasticsearch/ingest_pipeline/default.yml,533,airlock_digital.agent.poilcy_details.targetvers,vendor_root,entity_target_generic
+airlock_digital,agent,fields_yml_nested,packages/airlock_digital/data_stream/agent/fields/fields.yml,152,airlock_digital.agent.poilcy_details.targetvers,vendor_root,entity_target_generic
+airlock_digital,agent,ingest_pipeline,packages/airlock_digital/data_stream/agent/elasticsearch/ingest_pipeline/default.yml,531,json.policy_details.targetvers,other_vendor_or_nested,entity_target_generic
+airlock_digital,agent,expected_json,packages/airlock_digital/data_stream/agent/_dev/test/pipeline/test-agent.log-expected.json,0,targetvers,other_vendor_or_nested,entity_target_generic
+amazon_security_lake,event,expected_json,packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+amazon_security_lake,event,expected_json,packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,159,user.target.domain,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,6,user.target.domain,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,164,user.target.email,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,11,user.target.email,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,175,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,22,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,191,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,38,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,201,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,48,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,206,user.target.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,53,user.target.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,217,user.target.name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,64,user.target.name,ecs_top_level,likely_user_target_or_entity
+atlassian_bitbucket,audit,expected_json,packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_bitbucket,audit,expected_json,packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_confluence,audit,expected_json,packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_confluence,audit,expected_json,packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_jira,audit,expected_json,packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_jira,audit,expected_json,packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_jira,audit,expected_json,packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd,log,expected_json,packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd,log,expected_json,packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,expected_json,packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-centos7-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,expected_json,packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-passwd-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,expected_json,packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-useradd-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,81,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,83,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,73,user.target.id,ecs_top_level,likely_user_target_or_entity
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,75,user.target.name,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,CreateTrafficMirrorTargetRequest,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,CreateTrafficMirrorTargetResponse,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_flat,packages/aws/data_stream/elb_metrics/fields/fields.yml,227,TCP_Target_Reset_Count.sum,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json,0,TargetBucket,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json,0,TargetPrefix,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_flat,packages/aws/data_stream/elb_metrics/fields/fields.yml,164,TargetResponseTime.avg,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_flat,packages/aws/data_stream/elb_metrics/fields/fields.yml,215,TargetTLSNegotiationErrorCount.sum,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json,0,TrafficMirrorTargetId,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,175,_tmp.target_port,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,180,_tmp.target_status_code,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_nested,packages/aws/data_stream/elb_metrics/fields/fields.yml,254,aws.dimensions.TargetGroup,vendor_root,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,176,aws.elb.target_port,vendor_root,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,181,aws.elb.target_status_code,vendor_root,entity_target_generic
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1917,aws.guardduty.service.runtime_details.context.mount_target,vendor_root,likely_service_target_or_entity
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1945,aws.guardduty.service.runtime_details.context.target_process,vendor_root,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,275,entity.target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,278,entity.target.id,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,260,host.target,ecs_top_level,likely_host_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,263,host.target.entity,ecs_top_level,likely_host_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,266,host.target.entity.id,ecs_top_level,likely_host_target_or_entity
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1916,json.service.runtimeDetails.context.mountTarget,other_vendor_or_nested,likely_service_target_or_entity
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1944,json.service.runtimeDetails.context.targetProcess,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log-expected.json,0,mountTargetId,other_vendor_or_nested,entity_target_generic
+aws,guardduty,expected_json,packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json,0,mount_target,other_vendor_or_nested,entity_target_generic
+aws,guardduty,fields_yml_nested,packages/aws/data_stream/guardduty/fields/fields.yml,1089,service.runtime_details.context.mount_target,other_vendor_or_nested,likely_service_target_or_entity
+aws,guardduty,fields_yml_nested,packages/aws/data_stream/guardduty/fields/fields.yml,1110,service.runtime_details.context.target_process,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,242,service.target,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,245,service.target.entity,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,248,service.target.entity.id,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json-minimal.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json-flattened.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json-keyword.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,200,target.entity,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,203,target.entity.id,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json,0,targetCount,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json,0,targetCount,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,expected_json,packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json,0,target_group,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,fields_yml_flat,packages/aws/data_stream/elb_logs/fields/fields.yml,12,target_group.arn,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,expected_json,packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json,0,target_port,other_vendor_or_nested,entity_target_generic
+aws,guardduty,expected_json,packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json,0,target_process,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,expected_json,packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json,0,target_status_code,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,trafficMirrorTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json,0,trafficMirrorTargetId,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,trafficMirrorTargetId,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,224,user.target,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,227,user.target.entity,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,230,user.target.entity.id,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,ingest_pipeline,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1934,user.target.id,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,ingest_pipeline,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1946,user.target.name,ecs_top_level,likely_user_target_or_entity
+aws_securityhub,finding,fields_yml_nested,packages/aws_securityhub/data_stream/finding/fields/fields.yml,283,aws_securityhub.finding.anomaly_analyses.analysis_targets,vendor_root,entity_target_generic
+aws_securityhub,finding,fields_yml_nested,packages/aws_securityhub/data_stream/finding/fields/fields.yml,286,aws_securityhub.finding.anomaly_analyses.analysis_targets.name,vendor_root,entity_target_generic
+aws_securityhub,finding,fields_yml_nested,packages/aws_securityhub/data_stream/finding/fields/fields.yml,289,aws_securityhub.finding.anomaly_analyses.analysis_targets.type,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,280,azure.provisioning.properties.targetIdentity,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,332,azure.provisioning.properties.targetSystem,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,281,azure.provisioning.properties.target_identity,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,284,azure.provisioning.properties.target_identity.Id,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,288,azure.provisioning.properties.target_identity.Name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,296,azure.provisioning.properties.target_identity.details.DisplayName,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,300,azure.provisioning.properties.target_identity.details.UserPrincipalName,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,297,azure.provisioning.properties.target_identity.details.display_name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,301,azure.provisioning.properties.target_identity.details.user_principal_name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,285,azure.provisioning.properties.target_identity.id,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,292,azure.provisioning.properties.target_identity.identityType,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,293,azure.provisioning.properties.target_identity.identity_type,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,289,azure.provisioning.properties.target_identity.name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,333,azure.provisioning.properties.target_system,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,336,azure.provisioning.properties.target_system.Id,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,340,azure.provisioning.properties.target_system.Name,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,344,azure.provisioning.properties.target_system.details.ApplicationId,vendor_root,likely_service_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,348,azure.provisioning.properties.target_system.details.ServicePrincipalDisplayName,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,352,azure.provisioning.properties.target_system.details.ServicePrincipalId,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,345,azure.provisioning.properties.target_system.details.application_id,vendor_root,likely_service_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,349,azure.provisioning.properties.target_system.details.dervice_principal_display_name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,353,azure.provisioning.properties.target_system.details.service_principal_id,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,337,azure.provisioning.properties.target_system.id,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,341,azure.provisioning.properties.target_system.name,vendor_root,entity_target_generic
+azure,firewall_logs,ingest_pipeline,packages/azure/data_stream/firewall_logs/elasticsearch/ingest_pipeline/default.yml,124,json.properties.TargetUrl,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,202,properties.target_identity,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,216,properties.target_identity.details,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,207,properties.target_identity.id,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,213,properties.target_identity.identity_type,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,210,properties.target_identity.name,other_vendor_or_nested,likely_user_target_or_entity
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,74,properties.target_resources.*,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,77,properties.target_resources.*.display_name,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,81,properties.target_resources.*.id,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,89,properties.target_resources.*.ip_address,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,97,properties.target_resources.*.modified_properties.*,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,104,properties.target_resources.*.modified_properties.*.display_name,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,100,properties.target_resources.*.modified_properties.*.new_value,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,108,properties.target_resources.*.modified_properties.*.old_value,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,85,properties.target_resources.*.type,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,93,properties.target_resources.*.user_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,219,properties.target_system,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,230,properties.target_system.details,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,234,properties.target_system.details.application_id,other_vendor_or_nested,likely_service_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,238,properties.target_system.details.dervice_principal_display_name,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,236,properties.target_system.details.service_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,224,properties.target_system.id,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,227,properties.target_system.name,other_vendor_or_nested,entity_target_generic
+azure,provisioning,expected_json,packages/azure/data_stream/provisioning/_dev/test/pipeline/test-provisioninglogs-raw.log-expected.json,0,target_identity,other_vendor_or_nested,likely_user_target_or_entity
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-duration-as-string.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-edgecases.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,provisioning,expected_json,packages/azure/data_stream/provisioning/_dev/test/pipeline/test-provisioninglogs-raw.log-expected.json,0,target_system,other_vendor_or_nested,entity_target_generic
+azure_network_watcher_vnet,log,ingest_pipeline,packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml,88,azure_network_watcher_vnet.log.target_resource_id,vendor_root,entity_target_generic
+azure_network_watcher_vnet,log,fields_yml_nested,packages/azure_network_watcher_vnet/data_stream/log/fields/fields.yml,109,azure_network_watcher_vnet.log.target_resource_id,vendor_root,entity_target_generic
+azure_network_watcher_vnet,log,ingest_pipeline,packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml,86,json.targetResourceID,other_vendor_or_nested,entity_target_generic
+azure_network_watcher_vnet,log,expected_json,packages/azure_network_watcher_vnet/data_stream/log/_dev/test/pipeline/test-vnet.log-expected.json,0,target_resource_id,other_vendor_or_nested,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,502,bbot.data.scan_config.target.blacklist_hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,504,bbot.data.scan_config.target.hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,506,bbot.data.scan_config.target.scope_hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,508,bbot.data.scan_config.target.seed_hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,510,bbot.data.scan_config.target.seeds,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,512,bbot.data.scan_config.target.strict_scope,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,514,bbot.data.scan_config.target.whitelist,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,516,bbot.data.scan_config.target.whitelist_hash,vendor_root,entity_target_generic
+bbot,asm_intel,expected_json,packages/bbot/data_stream/asm_intel/_dev/test/pipeline/test-bbot-v2-ndjson.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,fields_yml_nested,packages/bitdefender/data_stream/push_notifications/fields/fields.yml,216,bitdefender.event.targetName,vendor_root,entity_target_generic
+bitdefender,push_notifications,fields_yml_nested,packages/bitdefender/data_stream/push_notifications/fields/fields.yml,218,bitdefender.event.target_type,vendor_root,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification-jsonrpc.json-expected.json,0,targetName,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json,0,targetName,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification-jsonrpc.json-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+bluecoat,director,fields_yml_nested,packages/bluecoat/data_stream/director/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+bluecoat,director,fields_yml_nested,packages/bluecoat/data_stream/director/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+bluecoat,director,fields_yml_nested,packages/bluecoat/data_stream/director/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+box_events,events,expected_json,packages/box_events/data_stream/events/_dev/test/pipeline/test-invite.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,662,user.target.domain,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,648,user.target.email,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,643,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,667,user.target.id,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,658,user.target.name,ecs_top_level,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,825,canva.audit.target.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,836,canva.audit.target.name,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,847,canva.audit.target.organization.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,852,canva.audit.target.owner.organization.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,857,canva.audit.target.owner.team.display_name,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,862,canva.audit.target.owner.team.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,867,canva.audit.target.owner.type,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,872,canva.audit.target.owner.user.display_name,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,883,canva.audit.target.owner.user.email,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,894,canva.audit.target.owner.user.id,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,905,canva.audit.target.resource_type,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,910,canva.audit.target.target_type,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,915,canva.audit.target.team.display_name,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,925,canva.audit.target.team.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,935,canva.audit.target.user.display_name,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,951,canva.audit.target.user.email,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,967,canva.audit.target.user.id,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,823,json.target.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,834,json.target.name,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,845,json.target.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,850,json.target.owner.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,855,json.target.owner.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,860,json.target.owner.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,865,json.target.owner.type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,870,json.target.owner.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,881,json.target.owner.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,892,json.target.owner.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,903,json.target.resource_type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,908,json.target.target_type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,913,json.target.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,923,json.target.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,933,json.target.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,949,json.target.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,965,json.target.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,expected_json,packages/canva/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,437,target.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,440,target.name,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,443,target.organization,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,446,target.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,449,target.owner,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,452,target.owner.organization,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,455,target.owner.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,458,target.owner.team,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,461,target.owner.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,464,target.owner.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,467,target.owner.type,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,470,target.owner.user,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,473,target.owner.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,476,target.owner.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,479,target.owner.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,482,target.resource_type,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,485,target.target_type,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,488,target.team,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,491,target.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,494,target.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,497,target.user,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,500,target.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,503,target.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,506,target.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,expected_json,packages/canva/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,954,user.target.email,ecs_top_level,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,938,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,970,user.target.id,ecs_top_level,likely_user_target_or_entity
+carbon_black_cloud,alert_v7,ingest_pipeline,packages/carbon_black_cloud/data_stream/alert_v7/elasticsearch/ingest_pipeline/default.yml,614,carbon_black_cloud.alert.device.target_value,vendor_root,likely_host_target_or_entity
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,397,carbon_black_cloud.endpoint_event.crossproc.target,vendor_root,entity_target_generic
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,372,carbon_black_cloud.endpoint_event.target_cmdline,vendor_root,entity_target_generic
+carbon_black_cloud,endpoint_event,fields_yml_nested,packages/carbon_black_cloud/data_stream/endpoint_event/fields/fields.yml,50,crossproc.target,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,fields_yml_nested,packages/carbon_black_cloud/data_stream/alert_v7/fields/fields.yml,191,device.target_value,other_vendor_or_nested,likely_host_target_or_entity
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,396,json.crossproc_target,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,ingest_pipeline,packages/carbon_black_cloud/data_stream/alert_v7/elasticsearch/ingest_pipeline/default.yml,613,json.device_target_value,other_vendor_or_nested,likely_host_target_or_entity
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,371,json.target_cmdline,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,endpoint_event,expected_json,packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,endpoint_event,expected_json,packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json,0,target_cmdline,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,is_target,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,ingest_pipeline,packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml,139,json.target_create_time,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,ingest_pipeline,packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml,145,json.target_pid,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,link_target,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_create_time,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_md5,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_pid,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_process_guid,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_sha256,other_vendor_or_nested,entity_target_generic
+cef,log,expected_json,packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json,0,TrendMicroDsMalwareTarget,other_vendor_or_nested,entity_target_generic
+cef,log,expected_json,packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json,0,TrendMicroDsMalwareTargetType,other_vendor_or_nested,entity_target_generic
+cef,log,expected_json,packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+checkpoint,firewall,fields_yml_nested,packages/checkpoint/data_stream/firewall/fields/fields.yml,1974,checkpoint.tasktargetid,vendor_root,entity_target_generic
+checkpoint,firewall,expected_json,packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-audit.log-expected.json,0,tasktargetid,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,139,cisco_duo.activity.old_target,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,143,cisco_duo.activity.old_target.details,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,154,cisco_duo.activity.target,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,158,cisco_duo.activity.target.details,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,138,json.old_target,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,153,json.target,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,157,old_target.details,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,161,old_target.key,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,165,old_target.name,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,169,old_target.type,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,expected_json,packages/cisco_duo/data_stream/activity/_dev/test/pipeline/test-activity.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cisco_duo,admin,expected_json,packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,182,target.details,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,186,target.key,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,190,target.name,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,194,target.type,other_vendor_or_nested,entity_target_generic
+cisco_duo,admin,ingest_pipeline,packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,147,user.target.name,ecs_top_level,likely_user_target_or_entity
+cisco_ise,log,expected_json,packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json,0,assigned_targets,other_vendor_or_nested,entity_target_generic
+cisco_ise,log,ingest_pipeline,packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml,149,cisco_ise.log.assigned_targets,vendor_root,entity_target_generic
+cisco_ise,log,ingest_pipeline,packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml,148,cisco_ise.log.log_details.AssignedTargets,vendor_root,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetCommandLineParameters,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetFileName,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetSHA256HashData,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetThreadId,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetThreadModule,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1466,crowdstrike.SymbolicLinkTarget,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1739,crowdstrike.TargetAuthenticationId,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1486,crowdstrike.TargetCommandLineParameters,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1488,crowdstrike.TargetDomainControllerObjectGuid,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1490,crowdstrike.TargetDomainControllerObjectSid,vendor_root,entity_target_generic
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,2152,crowdstrike.TargetFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1492,crowdstrike.TargetFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1345,crowdstrike.TargetImageFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1741,crowdstrike.TargetIntegrityLevel,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1743,crowdstrike.TargetProcessCommandLine,vendor_root,entity_target_generic
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1106,crowdstrike.TargetProcessId,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1745,crowdstrike.TargetProcessImageFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1494,crowdstrike.TargetSHA256HashData,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1496,crowdstrike.TargetThreadId,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1498,crowdstrike.TargetThreadModule,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,589,crowdstrike.alert.target,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1944,crowdstrike.alert.target.account_name,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,592,crowdstrike.alert.target.account_name,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1928,crowdstrike.alert.target.domain_controller_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,594,crowdstrike.alert.target.domain_controller_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1960,crowdstrike.alert.target.domain_controller_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,596,crowdstrike.alert.target.domain_controller_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1965,crowdstrike.alert.target.domain_controller_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,598,crowdstrike.alert.target.domain_controller_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1970,crowdstrike.alert.target.endpoint_account_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,600,crowdstrike.alert.target.endpoint_account_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1975,crowdstrike.alert.target.endpoint_account_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,602,crowdstrike.alert.target.endpoint_account_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1912,crowdstrike.alert.target.endpoint_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,604,crowdstrike.alert.target.endpoint_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1980,crowdstrike.alert.target.endpoint_sensor_id,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,606,crowdstrike.alert.target.endpoint_sensor_id,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1985,crowdstrike.alert.target.service_access_identifier,vendor_root,likely_service_target_or_entity
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,608,crowdstrike.alert.target.service_access_identifier,vendor_root,likely_service_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1942,crowdstrike.alert.target_account_name,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1926,crowdstrike.alert.target_domain_controller_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1958,crowdstrike.alert.target_domain_controller_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1963,crowdstrike.alert.target_domain_controller_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1968,crowdstrike.alert.target_endpoint_account_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1973,crowdstrike.alert.target_endpoint_account_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1910,crowdstrike.alert.target_endpoint_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1978,crowdstrike.alert.target_endpoint_sensor_id,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1983,crowdstrike.alert.target_service_access_identifier,vendor_root,likely_service_target_or_entity
+crowdstrike,alert,expected_json,packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+crowdstrike,falcon,expected_json,packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1674,user.target.id,ecs_top_level,likely_user_target_or_entity
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1635,user.target.name,ecs_top_level,likely_user_target_or_entity
+cyberark_epm,policyaudit_raw_event,expected_json,packages/cyberark_epm/data_stream/policyaudit_raw_event/_dev/test/pipeline/test-policyaudit-raw-event.log-expected.json,0,access_target_name,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,expected_json,packages/cyberark_epm/data_stream/raw_event/_dev/test/pipeline/test-raw-event.log-expected.json,0,access_target_name,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_raw_event,expected_json,packages/cyberark_epm/data_stream/policyaudit_raw_event/_dev/test/pipeline/test-policyaudit-raw-event.log-expected.json,0,access_target_type,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,expected_json,packages/cyberark_epm/data_stream/raw_event/_dev/test/pipeline/test-raw-event.log-expected.json,0,access_target_type,other_vendor_or_nested,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,439,cyberark_epm.aggregated_event.last_event_access_target_name,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/aggregated_event/fields/fields.yml,70,cyberark_epm.aggregated_event.last_event_access_target_name,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,444,cyberark_epm.aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/aggregated_event/fields/fields.yml,72,cyberark_epm.aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,278,cyberark_epm.policyaudit_aggregated_event.last_event_access_target,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/fields/fields.yml,59,cyberark_epm.policyaudit_aggregated_event.last_event_access_target,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,283,cyberark_epm.policyaudit_aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/fields/fields.yml,61,cyberark_epm.policyaudit_aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,134,cyberark_epm.policyaudit_raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_raw_event/fields/fields.yml,7,cyberark_epm.policyaudit_raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,139,cyberark_epm.policyaudit_raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_raw_event/fields/fields.yml,9,cyberark_epm.policyaudit_raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,139,cyberark_epm.raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/raw_event/fields/fields.yml,10,cyberark_epm.raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,144,cyberark_epm.raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/raw_event/fields/fields.yml,13,cyberark_epm.raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,579,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,373,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,681,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,977,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,132,json.accessTargetName,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,137,json.accessTargetName,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,137,json.accessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,142,json.accessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,276,json.lastEventAccessTarget,other_vendor_or_nested,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,437,json.lastEventAccessTargetName,other_vendor_or_nested,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,442,json.lastEventAccessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,281,json.lastEventAccessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,expected_json,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/_dev/test/pipeline/test-policyaudit-aggregated-event.log-expected.json,0,last_event_access_target_type,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,expected_json,packages/cyberark_epm/data_stream/raw_event/_dev/test/pipeline/test-raw-event.log-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,554,cyera.event.target_classifications,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,267,cyera.event.target_classifications,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,270,cyera.event.target_classifications.name,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,273,cyera.event.target_classifications.uid,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,276,cyera.event.target_sensitivity,vendor_root,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,559,cyera.event.target_sensitivity.display_name,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,279,cyera.event.target_sensitivity.display_name,vendor_root,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,564,cyera.event.target_sensitivity.value,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,282,cyera.event.target_sensitivity.value,vendor_root,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,542,json.targetClassifications,other_vendor_or_nested,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,562,json.targetSensitivity,other_vendor_or_nested,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,557,json.targetSensitivityDisplayName,other_vendor_or_nested,entity_target_generic
+cyera,event,expected_json,packages/cyera/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_classifications,other_vendor_or_nested,entity_target_generic
+cyera,event,expected_json,packages/cyera/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_sensitivity,other_vendor_or_nested,entity_target_generic
+cylance,protect,fields_yml_nested,packages/cylance/data_stream/protect/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+cylance,protect,fields_yml_nested,packages/cylance/data_stream/protect/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+cylance,protect,fields_yml_nested,packages/cylance/data_stream/protect/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,ingest_pipeline,packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml,876,json.model.logic.targetScore,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,ingest_pipeline,packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml,877,json.model.logic.target_score,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,fields_yml_nested,packages/darktrace/data_stream/model_breach_alert/fields/fields.yml,282,model.logic.target_score,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,expected_json,packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json,0,target_score,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,34,eset_protect.device_task.action.params.scan_targets,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,42,eset_protect.device_task.targets,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,122,eset_protect.device_task.targets.device_groups_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,45,eset_protect.device_task.targets.device_groups_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,136,eset_protect.device_task.targets.devices_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,48,eset_protect.device_task.targets.devices_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,827,eset_protect.event.target,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,150,eset_protect.event.target,vendor_root,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,832,eset_protect.event.target_address,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,153,eset_protect.event.target_address,vendor_root,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,878,eset_protect.event.target_address_type,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,156,eset_protect.event.target_address_type,vendor_root,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,883,eset_protect.event.target_port,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,159,eset_protect.event.target_port,vendor_root,entity_target_generic
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,94,json.action.params.scanTargets,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,96,json.action.params.scan_targets,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,825,json.target,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,830,json.target_address,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,876,json.target_address_type,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,881,json.target_port,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,120,json.targets.deviceGroupsUuids,other_vendor_or_nested,likely_host_target_or_entity
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,125,json.targets.devicesUuids,other_vendor_or_nested,likely_host_target_or_entity
+eset_protect,device_task,expected_json,packages/eset_protect/data_stream/device_task/_dev/test/pipeline/test-device-task.log-expected.json,0,scan_targets,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_address,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_address_type,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_port,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,expected_json,packages/eset_protect/data_stream/device_task/_dev/test/pipeline/test-device-task.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+falco,alerts,fields_yml_flat,packages/falco/data_stream/alerts/fields/fields.yml,410,fs.path.target,other_vendor_or_nested,entity_target_generic
+falco,alerts_agent,fields_yml_flat,packages/falco/data_stream/alerts_agent/fields/fields.yml,410,fs.path.target,other_vendor_or_nested,entity_target_generic
+fim,event,expected_json,packages/fim/data_stream/event/_dev/test/pipeline/test-etw-backend.json-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+forgerock,idm_sync,fields_yml_flat,packages/forgerock/data_stream/idm_sync/fields/forgerock-fields.yml,25,forgerock.targetObjectId,vendor_root,entity_target_generic
+forgerock,idm_core,expected_json,packages/forgerock/data_stream/idm_core/_dev/test/pipeline/test-idm-core.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+forgerock,idm_sync,expected_json,packages/forgerock/data_stream/idm_sync/_dev/test/pipeline/test-idm-sync.log-expected.json,0,targetObjectId,other_vendor_or_nested,entity_target_generic
+fortinet_forticlient,log,fields_yml_nested,packages/fortinet_forticlient/data_stream/log/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+fortinet_forticlient,log,fields_yml_nested,packages/fortinet_forticlient/data_stream/log/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+fortinet_forticlient,log,fields_yml_nested,packages/fortinet_forticlient/data_stream/log/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+fortinet_fortigate,log,fields_yml_nested,packages/fortinet_fortigate/data_stream/log/fields/fields.yml,1461,fortinet.firewall.slatargetid,other_vendor_or_nested,entity_target_generic
+fortinet_fortigate,log,expected_json,packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json,0,slatargetid,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,102,entity.target,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,105,entity.target.id,other_vendor_or_nested,entity_target_generic
+gcp,dns,ingest_pipeline,packages/gcp/data_stream/dns/elasticsearch/ingest_pipeline/default.yml,318,gcp.dns.target_type,vendor_root,entity_target_generic
+gcp,loadbalancing_logs,ingest_pipeline,packages/gcp/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml,180,gcp.load_balancer.target_proxy_name,vendor_root,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,87,host.target,ecs_top_level,likely_host_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,90,host.target.entity,ecs_top_level,likely_host_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,93,host.target.entity.id,ecs_top_level,likely_host_target_or_entity
+gcp,loadbalancing_logs,ingest_pipeline,packages/gcp/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml,179,json.resource.labels.target_proxy_name,other_vendor_or_nested,entity_target_generic
+gcp,dns,ingest_pipeline,packages/gcp/data_stream/dns/elasticsearch/ingest_pipeline/default.yml,319,json.resource.labels.target_type,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/fields.yml,264,labels.payload.targetVersion,ecs_top_level,entity_target_generic
+gcp,firewall,fields_yml_nested,packages/gcp/data_stream/firewall/fields/fields.yml,41,rule_details.target_service_account,other_vendor_or_nested,likely_service_target_or_entity
+gcp,firewall,fields_yml_nested,packages/gcp/data_stream/firewall/fields/fields.yml,29,rule_details.target_tag,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,69,service.target,other_vendor_or_nested,likely_service_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,72,service.target.entity,other_vendor_or_nested,likely_service_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,75,service.target.entity.id,other_vendor_or_nested,likely_service_target_or_entity
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-iamcredentials-googleapis-com.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-networks-disks-classification.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-user-entities.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-user-target-entities.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,ingest_pipeline,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,224,target.entity.id,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_flat,packages/gcp/data_stream/audit/fields/base-fields.yml,35,target.entity.id,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targetLink,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json,0,targetLink,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targetResource,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-cluster-notifications.json-expected.json,0,targetVersion,other_vendor_or_nested,entity_target_generic
+gcp,loadbalancing_logs,expected_json,packages/gcp/data_stream/loadbalancing_logs/_dev/test/pipeline/test-load-balancer.log-expected.json,0,target_proxy_name,other_vendor_or_nested,entity_target_generic
+gcp,firewall,expected_json,packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json,0,target_tag,other_vendor_or_nested,entity_target_generic
+gcp,dns,expected_json,packages/gcp/data_stream/dns/_dev/test/pipeline/test-dns-empty-rdata.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+gcp,dns,expected_json,packages/gcp/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,51,user.target,ecs_top_level,likely_user_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,54,user.target.entity,ecs_top_level,likely_user_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,57,user.target.entity.id,ecs_top_level,likely_user_target_or_entity
+github,audit,fields_yml_nested,packages/github/data_stream/audit/fields/fields.yml,175,github.target_branch,vendor_root,entity_target_generic
+github,audit,expected_json,packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+github,audit,expected_json,packages/github/data_stream/audit/_dev/test/pipeline/test-organisation-audit-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+github,audit,expected_json,packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json,0,target_branch,other_vendor_or_nested,entity_target_generic
+github,audit,ingest_pipeline,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,123,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+github,audit,ingest_pipeline,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,258,user.target.id,ecs_top_level,likely_user_target_or_entity
+github,audit,ingest_pipeline,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,94,user.target.name,ecs_top_level,likely_user_target_or_entity
+gitlab,api,fields_yml_nested,packages/gitlab/data_stream/api/fields/fields.yml,136,gitlab.api.target_duration_s,vendor_root,entity_target_generic
+gitlab,audit,fields_yml_nested,packages/gitlab/data_stream/audit/fields/fields.yml,17,gitlab.audit.target_details,vendor_root,entity_target_generic
+gitlab,audit,fields_yml_nested,packages/gitlab/data_stream/audit/fields/fields.yml,13,gitlab.audit.target_id,vendor_root,entity_target_generic
+gitlab,audit,fields_yml_nested,packages/gitlab/data_stream/audit/fields/fields.yml,15,gitlab.audit.target_type,vendor_root,entity_target_generic
+gitlab,production,fields_yml_nested,packages/gitlab/data_stream/production/fields/fields.yml,271,gitlab.production.target_duration_s,vendor_root,entity_target_generic
+gitlab,sidekiq,ingest_pipeline,packages/gitlab/data_stream/sidekiq/elasticsearch/ingest_pipeline/default.yml,1890,gitlab.sidekiq.target_duration_s,vendor_root,entity_target_generic
+gitlab,sidekiq,fields_yml_nested,packages/gitlab/data_stream/sidekiq/fields/fields.yml,461,gitlab.sidekiq.target_duration_s,vendor_root,entity_target_generic
+gitlab,sidekiq,ingest_pipeline,packages/gitlab/data_stream/sidekiq/elasticsearch/ingest_pipeline/default.yml,1902,gitlab.sidekiq.target_scheduling_latency_s,vendor_root,entity_target_generic
+gitlab,sidekiq,fields_yml_nested,packages/gitlab/data_stream/sidekiq/fields/fields.yml,463,gitlab.sidekiq.target_scheduling_latency_s,vendor_root,entity_target_generic
+gitlab,audit,expected_json,packages/gitlab/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_details,other_vendor_or_nested,entity_target_generic
+gitlab,api,expected_json,packages/gitlab/data_stream/api/_dev/test/pipeline/test-gitlab-api.log-expected.json,0,target_duration_s,other_vendor_or_nested,entity_target_generic
+gitlab,production,expected_json,packages/gitlab/data_stream/production/_dev/test/pipeline/test-gitlab-production.log-expected.json,0,target_duration_s,other_vendor_or_nested,entity_target_generic
+gitlab,audit,expected_json,packages/gitlab/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_id,other_vendor_or_nested,entity_target_generic
+gitlab,audit,expected_json,packages/gitlab/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+google_scc,asset,fields_yml_nested,packages/google_scc/data_stream/asset/fields/fields.yml,578,google_scc.asset.prior.related_assets.relationship_attributes.target_resource_type,vendor_root,entity_target_generic
+google_scc,asset,fields_yml_nested,packages/google_scc/data_stream/asset/fields/fields.yml,891,google_scc.asset.related_assets.relationship_attributes.target_resource_type,vendor_root,entity_target_generic
+google_scc,finding,fields_yml_nested,packages/google_scc/data_stream/finding/fields/fields.yml,239,google_scc.finding.exfiltration.targets,vendor_root,entity_target_generic
+google_scc,finding,fields_yml_nested,packages/google_scc/data_stream/finding/fields/fields.yml,242,google_scc.finding.exfiltration.targets.components,vendor_root,entity_target_generic
+google_scc,finding,fields_yml_nested,packages/google_scc/data_stream/finding/fields/fields.yml,245,google_scc.finding.exfiltration.targets.name,vendor_root,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml,450,json.asset.relatedAssets.relationshipAttributes.targetResourceType,other_vendor_or_nested,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml,451,json.asset.relatedAssets.relationship_attributes.target_resource_type,other_vendor_or_nested,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_prior_asset.yml,450,json.priorAsset.relatedAssets.relationshipAttributes.targetResourceType,other_vendor_or_nested,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_prior_asset.yml,451,json.priorAsset.relatedAssets.relationship_attributes.target_resource_type,other_vendor_or_nested,entity_target_generic
+google_scc,asset,expected_json,packages/google_scc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json,0,target_resource_type,other_vendor_or_nested,entity_target_generic
+google_secops,alert,expected_json,packages/google_secops/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,TargetLinkedLogonId,other_vendor_or_nested,entity_target_generic
+google_secops,alert,expected_json,packages/google_secops/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1235,cloud.target.project.name,ecs_top_level,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,942,google_secops.alert.event.target,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,945,google_secops.alert.event.target.application,vendor_root,likely_service_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,948,google_secops.alert.event.target.asset,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,951,google_secops.alert.event.target.asset.assetId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,954,google_secops.alert.event.target.asset.hostname,vendor_root,likely_host_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1206,google_secops.alert.event.target.asset.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,957,google_secops.alert.event.target.asset.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,960,google_secops.alert.event.target.asset.mac,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,963,google_secops.alert.event.target.assetId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,966,google_secops.alert.event.target.cloud,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,969,google_secops.alert.event.target.cloud.environment,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,972,google_secops.alert.event.target.cloud.project,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1237,google_secops.alert.event.target.cloud.project.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,975,google_secops.alert.event.target.cloud.project.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,978,google_secops.alert.event.target.file,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,981,google_secops.alert.event.target.file.fullPath,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1240,google_secops.alert.event.target.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,984,google_secops.alert.event.target.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,987,google_secops.alert.event.target.file.md5,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,990,google_secops.alert.event.target.file.names,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,993,google_secops.alert.event.target.file.sha1,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,996,google_secops.alert.event.target.file.sha256,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,999,google_secops.alert.event.target.file.size,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1002,google_secops.alert.event.target.group,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1005,google_secops.alert.event.target.group.groupDisplayName,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1274,google_secops.alert.event.target.hostname,vendor_root,likely_host_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1008,google_secops.alert.event.target.hostname,vendor_root,likely_host_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1283,google_secops.alert.event.target.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1011,google_secops.alert.event.target.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1014,google_secops.alert.event.target.labels,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1017,google_secops.alert.event.target.labels.key,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1019,google_secops.alert.event.target.labels.value,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1323,google_secops.alert.event.target.mac,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1021,google_secops.alert.event.target.mac,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1353,google_secops.alert.event.target.port,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1024,google_secops.alert.event.target.port,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1027,google_secops.alert.event.target.process,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1030,google_secops.alert.event.target.process.commandLine,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1033,google_secops.alert.event.target.process.file,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1370,google_secops.alert.event.target.process.file.firstSeenTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1036,google_secops.alert.event.target.process.file.firstSeenTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1039,google_secops.alert.event.target.process.file.fullPath,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1384,google_secops.alert.event.target.process.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1042,google_secops.alert.event.target.process.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1045,google_secops.alert.event.target.process.parentProcess,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1048,google_secops.alert.event.target.process.parentProcess.commandLine,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1051,google_secops.alert.event.target.process.parentProcess.file,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1054,google_secops.alert.event.target.process.parentProcess.file.fullPath,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1057,google_secops.alert.event.target.process.pid,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1060,google_secops.alert.event.target.process.productSpecificProcessId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1063,google_secops.alert.event.target.registry,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1066,google_secops.alert.event.target.registry.registryKey,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1069,google_secops.alert.event.target.registry.registryValueData,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1072,google_secops.alert.event.target.registry.registryValueName,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1075,google_secops.alert.event.target.resource,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1078,google_secops.alert.event.target.resource.attribute,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1081,google_secops.alert.event.target.resource.attribute.labels,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1084,google_secops.alert.event.target.resource.attribute.labels.key,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1086,google_secops.alert.event.target.resource.attribute.labels.value,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1088,google_secops.alert.event.target.resource.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1091,google_secops.alert.event.target.resource.productObjectId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1094,google_secops.alert.event.target.resource.resourceType,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1097,google_secops.alert.event.target.resourceAncestors,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1100,google_secops.alert.event.target.resourceAncestors.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1103,google_secops.alert.event.target.resourceAncestors.productObjectId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1106,google_secops.alert.event.target.user,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1398,google_secops.alert.event.target.user.emailAddresses,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1109,google_secops.alert.event.target.user.emailAddresses,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1453,google_secops.alert.event.target.user.groupIdentifiers,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1112,google_secops.alert.event.target.user.groupIdentifiers,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1115,google_secops.alert.event.target.user.productObjectId,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1466,google_secops.alert.event.target.user.userDisplayName,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1118,google_secops.alert.event.target.user.userDisplayName,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1471,google_secops.alert.event.target.user.userid,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1121,google_secops.alert.event.target.user.userid,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1124,google_secops.alert.event.target.user.windowsSid,vendor_root,likely_user_target_or_entity
+google_secops,alert,expected_json,packages/google_secops/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,chat,fields_yml_nested,packages/google_workspace/data_stream/chat/fields/fields.yml,61,google_workspace.chat.target_user_role,vendor_root,likely_user_target_or_entity
+google_workspace,chat,ingest_pipeline,packages/google_workspace/data_stream/chat/elasticsearch/ingest_pipeline/default.yml,380,google_workspace.chat.target_users,vendor_root,likely_user_target_or_entity
+google_workspace,chat,fields_yml_nested,packages/google_workspace/data_stream/chat/fields/fields.yml,64,google_workspace.chat.target_users,vendor_root,likely_user_target_or_entity
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,316,google_workspace.data_studio.target_domain,vendor_root,entity_target_generic
+google_workspace,data_studio,fields_yml_nested,packages/google_workspace/data_stream/data_studio/fields/fields.yml,48,google_workspace.data_studio.target_domain,vendor_root,entity_target_generic
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,321,google_workspace.data_studio.target_user_email,vendor_root,likely_user_target_or_entity
+google_workspace,data_studio,fields_yml_nested,packages/google_workspace/data_stream/data_studio/fields/fields.yml,51,google_workspace.data_studio.target_user_email,vendor_root,likely_user_target_or_entity
+google_workspace,drive,ingest_pipeline,packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml,217,google_workspace.drive.target,vendor_root,entity_target_generic
+google_workspace,drive,ingest_pipeline,packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml,216,google_workspace.drive.target_user,vendor_root,likely_user_target_or_entity
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,234,google_workspace.meet.target,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,935,google_workspace.meet.target.display_names,vendor_root,entity_target_generic
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,237,google_workspace.meet.target.display_names,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,945,google_workspace.meet.target.email,vendor_root,entity_target_generic
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,240,google_workspace.meet.target.email,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,969,google_workspace.meet.target.phone_number,vendor_root,entity_target_generic
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,243,google_workspace.meet.target.phone_number,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,979,google_workspace.meet.target.user_count,vendor_root,likely_user_target_or_entity
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,246,google_workspace.meet.target.user_count,vendor_root,likely_user_target_or_entity
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,932,google_workspace.meet.target_display_names,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,943,google_workspace.meet.target_email,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,967,google_workspace.meet.target_phone_number,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,977,google_workspace.meet.target_user_count,vendor_root,likely_user_target_or_entity
+google_workspace,vault,ingest_pipeline,packages/google_workspace/data_stream/vault/elasticsearch/ingest_pipeline/default.yml,462,google_workspace.vault.target_user,vendor_root,likely_user_target_or_entity
+google_workspace,vault,fields_yml_nested,packages/google_workspace/data_stream/vault/fields/fields.yml,64,google_workspace.vault.target_user,vendor_root,likely_user_target_or_entity
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,calendar,expected_json,packages/google_workspace/data_stream/calendar/_dev/test/pipeline/test-calendar.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,chat,expected_json,packages/google_workspace/data_stream/chat/_dev/test/pipeline/test-chat.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,data_studio,expected_json,packages/google_workspace/data_stream/data_studio/_dev/test/pipeline/test-data-studio.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,drive,expected_json,packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,groups,expected_json,packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,login,expected_json,packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,meet,expected_json,packages/google_workspace/data_stream/meet/_dev/test/pipeline/test-meet.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,data_studio,expected_json,packages/google_workspace/data_stream/data_studio/_dev/test/pipeline/test-data-studio.log-expected.json,0,target_domain,other_vendor_or_nested,entity_target_generic
+google_workspace,drive,expected_json,packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json,0,target_domain,other_vendor_or_nested,entity_target_generic
+google_workspace,drive,expected_json,packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,data_studio,expected_json,packages/google_workspace/data_stream/data_studio/_dev/test/pipeline/test-data-studio.log-expected.json,0,target_user_email,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,chat,expected_json,packages/google_workspace/data_stream/chat/_dev/test/pipeline/test-chat.log-expected.json,0,target_user_role,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,chat,expected_json,packages/google_workspace/data_stream/chat/_dev/test/pipeline/test-chat.log-expected.json,0,target_users,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,314,user.target.domain,ecs_top_level,likely_user_target_or_entity
+google_workspace,calendar,ingest_pipeline,packages/google_workspace/data_stream/calendar/elasticsearch/ingest_pipeline/default.yml,410,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,chat,ingest_pipeline,packages/google_workspace/data_stream/chat/elasticsearch/ingest_pipeline/default.yml,378,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,319,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,948,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,vault,ingest_pipeline,packages/google_workspace/data_stream/vault/elasticsearch/ingest_pipeline/default.yml,460,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,admin,ingest_pipeline,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1314,user.target.group.domain,ecs_top_level,likely_user_target_or_entity
+google_workspace,groups,ingest_pipeline,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,304,user.target.group.domain,ecs_top_level,likely_user_target_or_entity
+google_workspace,admin,ingest_pipeline,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1310,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+google_workspace,groups,ingest_pipeline,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,300,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,953,user.target.name,ecs_top_level,likely_user_target_or_entity
+greenhouse,audit,fields_yml_nested,packages/greenhouse/data_stream/audit/fields/fields.yml,62,event.target_id,ecs_top_level,entity_target_generic
+greenhouse,audit,fields_yml_nested,packages/greenhouse/data_stream/audit/fields/fields.yml,66,event.target_type,ecs_top_level,entity_target_generic
+greenhouse,audit,ingest_pipeline,packages/greenhouse/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,181,greenhouse.audit.event.target_id,vendor_root,entity_target_generic
+greenhouse,audit,expected_json,packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json,0,target_id,other_vendor_or_nested,entity_target_generic
+greenhouse,audit,expected_json,packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,expected_json,packages/hid_bravura_monitor/data_stream/winlog/_dev/test/pipeline/test-hid-bravura-monitor-events.json-expected.json,0,FailedTargets,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,log,expected_json,packages/hid_bravura_monitor/data_stream/log/_dev/test/pipeline/test-hid-bravura-monitor.log-expected.json,0,targetid,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,ingest_pipeline,packages/hid_bravura_monitor/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml,38,winlog.event_data.FailedTargets,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,fields_yml_nested,packages/hid_bravura_monitor/data_stream/winlog/fields/winlog.yml,95,winlog.event_data.FailedTargets,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,fields_yml_nested,packages/hid_bravura_monitor/data_stream/winlog/fields/winlog.yml,206,winlog.event_data.Target,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,fields_yml_nested,packages/hid_bravura_monitor/data_stream/winlog/fields/winlog.yml,208,winlog.event_data.TargetName,other_vendor_or_nested,entity_target_generic
+infoblox_bloxone_ddi,dns_data,ingest_pipeline,packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml,203,infoblox_bloxone_ddi.dns_data.rdata.target,vendor_root,entity_target_generic
+infoblox_bloxone_ddi,dns_data,ingest_pipeline,packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml,202,json.rdata.target,other_vendor_or_nested,entity_target_generic
+infoblox_bloxone_ddi,dns_data,fields_yml_nested,packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/fields.yml,166,rdata.target,other_vendor_or_nested,entity_target_generic
+infoblox_bloxone_ddi,dns_data,expected_json,packages/infoblox_bloxone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+island_browser,audit,expected_json,packages/island_browser/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_server,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,fields_yml_nested,packages/jamf_compliance_reporter/data_stream/log/fields/fields.yml,71,arguments.target,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,fields_yml_nested,packages/jamf_compliance_reporter/data_stream/log/fields/fields.yml,74,arguments.target.port,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,6,jamf_compliance_reporter.log.arguments.target.port,vendor_root,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,12,jamf_compliance_reporter.log.arguments.target.port,vendor_root,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,5,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,11,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,expected_json,packages/jamf_compliance_reporter/data_stream/log/_dev/test/pipeline/test-pipeline-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+jamf_protect,telemetry_legacy,fields_yml_nested,packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml,50,arguments.target,other_vendor_or_nested,entity_target_generic
+jamf_protect,telemetry_legacy,fields_yml_nested,packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml,53,arguments.target.port,other_vendor_or_nested,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,6,jamf_protect.telemetry.arguments.target.port,vendor_root,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,12,jamf_protect.telemetry.arguments.target.port,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_chroot.yml,12,jamf_protect.telemetry.event.chroot.target.path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,43,jamf_protect.telemetry.event.exec.target.audit_token.e_username,vendor_root,likely_user_target_or_entity
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,27,jamf_protect.telemetry.event.exec.target.audit_token.egid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,32,jamf_protect.telemetry.event.exec.target.audit_token.euid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,94,jamf_protect.telemetry.event.exec.target.audit_token.pid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,103,jamf_protect.telemetry.event.exec.target.audit_token.uuid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,55,jamf_protect.telemetry.event.exec.target.cdhash,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,161,jamf_protect.telemetry.event.exec.target.codesigning_flags,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,107,jamf_protect.telemetry.event.exec.target.executable.path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,59,jamf_protect.telemetry.event.exec.target.executable.sha1,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,63,jamf_protect.telemetry.event.exec.target.executable.sha256,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,51,jamf_protect.telemetry.event.exec.target.is_es_client,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,47,jamf_protect.telemetry.event.exec.target.is_platform_binary,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,188,jamf_protect.telemetry.event.exec.target.parent_audit_token.e_username,vendor_root,likely_user_target_or_entity
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,178,jamf_protect.telemetry.event.exec.target.parent_audit_token.euid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,201,jamf_protect.telemetry.event.exec.target.parent_audit_token.exec_path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,174,jamf_protect.telemetry.event.exec.target.parent_audit_token.pid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,192,jamf_protect.telemetry.event.exec.target.parent_audit_token.rgid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,183,jamf_protect.telemetry.event.exec.target.parent_audit_token.ruid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,197,jamf_protect.telemetry.event.exec.target.parent_audit_token.signing_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,170,jamf_protect.telemetry.event.exec.target.parent_audit_token.uuid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,222,jamf_protect.telemetry.event.exec.target.responsible_audit_token.e_username,vendor_root,likely_user_target_or_entity
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,217,jamf_protect.telemetry.event.exec.target.responsible_audit_token.euid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,240,jamf_protect.telemetry.event.exec.target.responsible_audit_token.exec_path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,213,jamf_protect.telemetry.event.exec.target.responsible_audit_token.pid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,231,jamf_protect.telemetry.event.exec.target.responsible_audit_token.rgid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,226,jamf_protect.telemetry.event.exec.target.responsible_audit_token.ruid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,236,jamf_protect.telemetry.event.exec.target.responsible_audit_token.signing_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,209,jamf_protect.telemetry.event.exec.target.responsible_audit_token.uuid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,153,jamf_protect.telemetry.event.exec.target.signing_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,23,jamf_protect.telemetry.event.exec.target.start_time,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,157,jamf_protect.telemetry.event.exec.target.team_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,82,jamf_protect.telemetry.event.exec.target.tty.path,vendor_root,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,5,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,11,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jumpcloud,events,fields_yml_nested,packages/jumpcloud/data_stream/events/fields/fields.yml,470,jumpcloud.event.target_resource,vendor_root,entity_target_generic
+jumpcloud,events,fields_yml_nested,packages/jumpcloud/data_stream/events/fields/fields.yml,473,jumpcloud.event.target_resource.type,vendor_root,entity_target_generic
+juniper_junos,log,fields_yml_nested,packages/juniper_junos/data_stream/log/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+juniper_junos,log,fields_yml_nested,packages/juniper_junos/data_stream/log/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+juniper_junos,log,fields_yml_nested,packages/juniper_junos/data_stream/log/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+juniper_netscreen,log,fields_yml_nested,packages/juniper_netscreen/data_stream/log/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+juniper_netscreen,log,fields_yml_nested,packages/juniper_netscreen/data_stream/log/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+juniper_netscreen,log,fields_yml_nested,packages/juniper_netscreen/data_stream/log/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+jupiter_one,asset,fields_yml_nested,packages/jupiter_one/data_stream/asset/fields/fields.yml,261,jupiter_one.asset.properties.target_details,vendor_root,entity_target_generic
+jupiter_one,risks_and_alerts,fields_yml_nested,packages/jupiter_one/data_stream/risks_and_alerts/fields/fields.yml,261,jupiter_one.asset.properties.target_details,vendor_root,entity_target_generic
+jupiter_one,asset,fields_yml_nested,packages/jupiter_one/data_stream/asset/fields/fields.yml,264,jupiter_one.asset.properties.targets,vendor_root,entity_target_generic
+jupiter_one,risks_and_alerts,fields_yml_nested,packages/jupiter_one/data_stream/risks_and_alerts/fields/fields.yml,264,jupiter_one.asset.properties.targets,vendor_root,entity_target_generic
+keycloak,log,expected_json,packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+lumos,activity_logs,fields_yml_flat,packages/lumos/data_stream/activity_logs/fields/fields.yml,22,lumos.activity_logs.targets,vendor_root,entity_target_generic
+lumos,activity_logs,fields_yml_flat,packages/lumos/data_stream/activity_logs/fields/fields.yml,26,lumos.activity_logs.targets.name,vendor_root,entity_target_generic
+lumos,activity_logs,fields_yml_flat,packages/lumos/data_stream/activity_logs/fields/fields.yml,24,lumos.activity_logs.targets.target_type,vendor_root,entity_target_generic
+lumos,activity_logs,expected_json,packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+lumos,activity_logs,expected_json,packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+m365_defender,event,expected_json,packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml,1776,Target.process.command_line,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_flat,packages/m365_defender/data_stream/event/fields/fields.yml,1213,Target.process.command_line,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml,1782,Target.process.executable,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_flat,packages/m365_defender/data_stream/event/fields/fields.yml,1219,Target.process.executable,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml,1770,Target.process.name,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_flat,packages/m365_defender/data_stream/event/fields/fields.yml,1207,Target.process.name,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,542,json.properties.QueryTarget,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,532,json.properties.TargetAccountDisplayName,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,552,json.properties.TargetAccountUpn,other_vendor_or_nested,likely_user_target_or_entity
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,429,json.properties.TargetDeviceName,other_vendor_or_nested,likely_host_target_or_entity
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,543,m365_defender.event.query.target,vendor_root,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,533,m365_defender.event.target.account_display_name,vendor_root,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,553,m365_defender.event.target.account_upn,vendor_root,likely_user_target_or_entity
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,430,m365_defender.event.target.device_name,vendor_root,likely_host_target_or_entity
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,900,query.target,other_vendor_or_nested,entity_target_generic
+m365_defender,event,expected_json,packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,1092,target.account_display_name,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,1095,target.account_upn,other_vendor_or_nested,likely_user_target_or_entity
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,1098,target.device_name,other_vendor_or_nested,likely_host_target_or_entity
+mattermost,audit,expected_json,packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+mattermost,audit,ingest_pipeline,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,127,user.target.id,ecs_top_level,likely_user_target_or_entity
+mattermost,audit,ingest_pipeline,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,131,user.target.name,ecs_top_level,likely_user_target_or_entity
+mattermost,audit,ingest_pipeline,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,135,user.target.roles,ecs_top_level,likely_user_target_or_entity
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,244,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,247,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id.azure_resource_id,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,249,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id.target_resource_id,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,251,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id.target_resource_type,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,329,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.vulnerability_details.cpe.target_hardware,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,331,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.vulnerability_details.cpe.target_software,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,resource_id_as_target_node_id,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_hardware,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_resource_id,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_resource_type,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_software,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,expected_json,packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json,0,calculatetargetbackendlatency,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,59,microsoft.exchange.calculatetargetbackendlatency,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,53,microsoft.exchange.targetoutstandingrequests,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,39,microsoft.exchange.targetserver,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,41,microsoft.exchange.targetserverversion,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,expected_json,packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json,0,targetserver,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,expected_json,packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json,0,targetserverversion,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,258,json.properties.TargetDisplayNames,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,263,json.properties.TargetObjectIds,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,268,json.properties.Targets,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,260,microsoft_intune.audit.properties.target_display_names,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,90,microsoft_intune.audit.properties.target_display_names,vendor_root,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,265,microsoft_intune.audit.properties.target_object_ids,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,93,microsoft_intune.audit.properties.target_object_ids,vendor_root,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,337,microsoft_intune.audit.properties.targets,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,96,microsoft_intune.audit.properties.targets,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,99,microsoft_intune.audit.properties.targets.modified_properties,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,102,microsoft_intune.audit.properties.targets.modified_properties.name,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,105,microsoft_intune.audit.properties.targets.modified_properties.new,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,108,microsoft_intune.audit.properties.targets.modified_properties.old,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,111,microsoft_intune.audit.properties.targets.name,vendor_root,entity_target_generic
+microsoft_intune,audit,expected_json,packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_display_names,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,expected_json,packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_object_ids,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,expected_json,packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+microsoft_sqlserver,performance,expected_json,packages/microsoft_sqlserver/data_stream/performance/_dev/test/pipeline/test-performance.json-expected.json,0,buffer_target_pages,other_vendor_or_nested,entity_target_generic
+microsoft_sqlserver,performance,fields_yml_nested,packages/microsoft_sqlserver/data_stream/performance/fields/fields.yml,94,mssql.metrics.buffer_target_pages,other_vendor_or_nested,entity_target_generic
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,53,sqlserver.audit.target_database_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,77,sqlserver.audit.target_database_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,50,sqlserver.audit.target_server_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1228,sqlserver.audit.target_server_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,71,sqlserver.audit.target_server_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1231,sqlserver.audit.target_server_principal_sid,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,74,sqlserver.audit.target_server_principal_sid,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,expected_json,packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json,0,target_database_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,expected_json,packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json,0,target_server_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1230,user.target.id,ecs_top_level,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1227,user.target.name,ecs_top_level,likely_user_target_or_entity
+mimecast,threat_intel_malware_customer,fields_yml_nested,packages/mimecast/data_stream/threat_intel_malware_customer/fields/field.yml,69,mimecast.target_ref,vendor_root,entity_target_generic
+mimecast,threat_intel_malware_grid,fields_yml_nested,packages/mimecast/data_stream/threat_intel_malware_grid/fields/field.yml,49,mimecast.target_ref,vendor_root,entity_target_generic
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,255,mongodb_atlas.organization.target.username,vendor_root,likely_user_target_or_entity
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,251,mongodb_atlas.organization.target_public_key,vendor_root,entity_target_generic
+mongodb_atlas,process,fields_yml_nested,packages/mongodb_atlas/data_stream/process/fields/fields.yml,499,mongodb_atlas.process.query.targeting,vendor_root,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,365,mongodb_atlas.process.query.targeting.scanned_objects_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,process,fields_yml_nested,packages/mongodb_atlas/data_stream/process/fields/fields.yml,502,mongodb_atlas.process.query.targeting.scanned_objects_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,369,mongodb_atlas.process.query.targeting.scanned_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,process,fields_yml_nested,packages/mongodb_atlas/data_stream/process/fields/fields.yml,506,mongodb_atlas.process.query.targeting.scanned_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,315,mongodb_atlas.project.target.username,vendor_root,likely_user_target_or_entity
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,311,mongodb_atlas.project.target_public_key,vendor_root,entity_target_generic
+mongodb_atlas,project,fields_yml_nested,packages/mongodb_atlas/data_stream/project/fields/fields.yml,149,mongodb_atlas.project.target_public_key,vendor_root,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,364,response.QUERY_TARGETING_SCANNED_OBJECTS_PER_RETURNED,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,368,response.QUERY_TARGETING_SCANNED_PER_RETURNED,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,250,response.targetPublicKey,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,310,response.targetPublicKey,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,254,response.targetUsername,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,314,response.targetUsername,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,organization,expected_json,packages/mongodb_atlas/data_stream/organization/_dev/test/pipeline/test-mongodb-organization.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,project,expected_json,packages/mongodb_atlas/data_stream/project/_dev/test/pipeline/test-project.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,fields_yml_flat,packages/mongodb_atlas/data_stream/organization/fields/fields.yml,94,target.username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,project,fields_yml_flat,packages/mongodb_atlas/data_stream/project/fields/fields.yml,152,target.username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,organization,expected_json,packages/mongodb_atlas/data_stream/organization/_dev/test/pipeline/test-mongodb-organization.json-expected.json,0,target_public_key,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,project,expected_json,packages/mongodb_atlas/data_stream/project/_dev/test/pipeline/test-project.json-expected.json,0,target_public_key,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,expected_json,packages/mongodb_atlas/data_stream/organization/_dev/test/pipeline/test-mongodb-organization.json-expected.json,0,target_username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,project,expected_json,packages/mongodb_atlas/data_stream/project/_dev/test/pipeline/test-project.json-expected.json,0,target_username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,process,expected_json,packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json-expected.json,0,targeting,other_vendor_or_nested,entity_target_generic
+mysql_enterprise,audit,expected_json,packages/mysql_enterprise/data_stream/audit/_dev/test/pipeline/test-mysql-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+netflow,log,fields_yml_nested,packages/netflow/data_stream/log/fields/package-fields.yml,308,netflow.dns_srv_target,vendor_root,entity_target_generic
+netflow,log,fields_yml_nested,packages/netflow/data_stream/log/fields/package-fields.yml,548,netflow.http_request_target,vendor_root,entity_target_generic
+netscout,sightline,fields_yml_nested,packages/netscout/data_stream/sightline/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+netscout,sightline,fields_yml_nested,packages/netscout/data_stream/sightline/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+netscout,sightline,fields_yml_nested,packages/netscout/data_stream/sightline/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+netskope,alerts,fields_yml_nested,packages/netskope/data_stream/alerts/fields/fields.yml,243,breach.target_references,other_vendor_or_nested,entity_target_generic
+netskope,alerts,expected_json,packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json,0,target_references,other_vendor_or_nested,entity_target_generic
+netskope,alerts_events_v2,ingest_pipeline,packages/netskope/data_stream/alerts_events_v2/elasticsearch/ingest_pipeline/pipeline_events_v2.yml,882,user.target.email,ecs_top_level,likely_user_target_or_entity
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol.yml,219,cassandra.response.event.schema_change.target,other_vendor_or_nested,entity_target_generic
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol.yml,114,cassandra.response.result.schema_change.target,other_vendor_or_nested,entity_target_generic
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol_ecs.yml,219,response.event.schema_change.target,other_vendor_or_nested,entity_target_generic
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol_ecs.yml,114,response.result.schema_change.target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+o365,audit,fields_yml_nested,packages/o365/data_stream/audit/fields/fields.yml,643,Target.ID,other_vendor_or_nested,entity_target_generic
+o365,audit,fields_yml_nested,packages/o365/data_stream/audit/fields/fields.yml,645,Target.Type,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,TargetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json,0,TargetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json,0,TargetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,TargetId_ServicePrincipalNames,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json,0,TargetUserOrGroupName,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json,0,TargetUserOrGroupType,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,additionalTargets,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1567,o365audit.Target,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,82,o365audit.TargetFilePath,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1155,o365audit.TargetUserId,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1171,o365audit.TargetYammerUserId,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetIncludedUpdatedProperties,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetName,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetObjectId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetSPN,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,682,user.target.id,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,308,json.target,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,309,okta.target,vendor_root,entity_target_generic
+okta,system,fields_yml_flat,packages/okta/data_stream/system/fields/fields.yml,136,okta.target,vendor_root,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,552,okta_target_group.display_name,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,556,okta_target_group.id,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,540,okta_target_user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,544,okta_target_user.id,other_vendor_or_nested,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,548,okta_target_user.login,other_vendor_or_nested,likely_user_target_or_entity
+okta,system,expected_json,packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+okta,system,expected_json,packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+okta,system,expected_json,packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,547,user.target.email,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,539,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,555,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,551,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,543,user.target.id,ecs_top_level,likely_user_target_or_entity
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,35,oracle.memory.aggregate_pga_auto_target,vendor_root,entity_target_generic
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,40,oracle.memory.aggregate_pga_target_parameter,vendor_root,entity_target_generic
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,36,oracle.memory.pga.aggregate_auto_target,vendor_root,entity_target_generic
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,41,oracle.memory.pga.aggregate_target_parameter,vendor_root,entity_target_generic
+oracle,memory,fields_yml_nested,packages/oracle/data_stream/memory/fields/fields.yml,32,pga.aggregate_auto_target,other_vendor_or_nested,entity_target_generic
+oracle,memory,fields_yml_nested,packages/oracle/data_stream/memory/fields/fields.yml,47,pga.aggregate_target_parameter,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11619,osquery.shortcut_target_location,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11624,osquery.shortcut_target_location.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11628,osquery.shortcut_target_path,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11635,osquery.shortcut_target_path.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11639,osquery.shortcut_target_type,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11644,osquery.shortcut_target_type.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12614,osquery.symlink_target_path,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12619,osquery.symlink_target_path.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12712,osquery.target,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12718,osquery.target_creation_time,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12723,osquery.target_creation_time.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12727,osquery.target_last_accessed_time,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12732,osquery.target_last_accessed_time.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12736,osquery.target_modification_time,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12741,osquery.target_modification_time.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12745,osquery.target_name,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12750,osquery.target_name.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12754,osquery.target_path,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12761,osquery.target_path.text,other_vendor_or_nested,entity_target_generic
+pps,log,fields_yml_flat,packages/pps/data_stream/log/fields/fields.yml,10,pps.entry.target.name,vendor_root,entity_target_generic
+pps,log,fields_yml_flat,packages/pps/data_stream/log/fields/fields.yml,16,pps.entry.target.username,vendor_root,likely_user_target_or_entity
+pps,log,expected_json,packages/pps/data_stream/log/_dev/test/pipeline/test-log.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+prisma_cloud,alert,expected_json,packages/prisma_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,targetGrants,other_vendor_or_nested,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,414,json.targetFileName,other_vendor_or_nested,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,419,json.targetSiteName,other_vendor_or_nested,entity_target_generic
+proofpoint_itm,report,fields_yml_nested,packages/proofpoint_itm/data_stream/report/fields/fields.yml,120,proofpoint_itm.report.target,vendor_root,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,416,proofpoint_itm.report.target.file_name,vendor_root,entity_target_generic
+proofpoint_itm,report,fields_yml_nested,packages/proofpoint_itm/data_stream/report/fields/fields.yml,123,proofpoint_itm.report.target.file_name,vendor_root,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,421,proofpoint_itm.report.target.site_name,vendor_root,entity_target_generic
+proofpoint_itm,report,fields_yml_nested,packages/proofpoint_itm/data_stream/report/fields/fields.yml,125,proofpoint_itm.report.target.site_name,vendor_root,entity_target_generic
+proofpoint_itm,report,expected_json,packages/proofpoint_itm/data_stream/report/_dev/test/pipeline/test-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+qnap_nas,log,expected_json,packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+radware,defensepro,fields_yml_nested,packages/radware/data_stream/defensepro/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+radware,defensepro,fields_yml_nested,packages/radware/data_stream/defensepro/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+radware,defensepro,fields_yml_nested,packages/radware/data_stream/defensepro/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+sailpoint_identity_sc,events,fields_yml_nested,packages/sailpoint_identity_sc/data_stream/events/fields/event-fields.yml,173,sailpoint_identity_sc.events.target,vendor_root,likely_user_target_or_entity
+sailpoint_identity_sc,events,fields_yml_nested,packages/sailpoint_identity_sc/data_stream/events/fields/event-fields.yml,176,sailpoint_identity_sc.events.target.name,vendor_root,likely_user_target_or_entity
+sailpoint_identity_sc,events,expected_json,packages/sailpoint_identity_sc/data_stream/events/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+santa,log,ingest_pipeline,packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,44,file.target_path,ecs_top_level,entity_target_generic
+santa,log,expected_json,packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,864,json.targetProcessInfo.tgtFileCreatedAt,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,960,json.targetProcessInfo.tgtFileHashSha1,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,896,json.targetProcessInfo.tgtFileHashSha256,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,950,json.targetProcessInfo.tgtFileId,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,876,json.targetProcessInfo.tgtFileIsSigned,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,938,json.targetProcessInfo.tgtFileModifiedAt,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,881,json.targetProcessInfo.tgtFileOldPath,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,989,json.targetProcessInfo.tgtFilePath,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,928,json.targetProcessInfo.tgtProcCmdLine,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,886,json.targetProcessInfo.tgtProcImagePath,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,955,json.targetProcessInfo.tgtProcIntegrityLevel,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,933,json.targetProcessInfo.tgtProcName,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,913,json.targetProcessInfo.tgtProcPid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,891,json.targetProcessInfo.tgtProcSignedStatus,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,908,json.targetProcessInfo.tgtProcStorylineId,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,972,json.targetProcessInfo.tgtProcUid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,977,json.targetProcessInfo.tgtProcessStartTime,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,961,sentinel_one.alert.target.process.file.hash.sha1,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,897,sentinel_one.alert.target.process.file.hash.sha256,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,951,sentinel_one.alert.target.process.file.id,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,877,sentinel_one.alert.target.process.file.is_signed,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,882,sentinel_one.alert.target.process.file.old_path,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,990,sentinel_one.alert.target.process.file.path,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,929,sentinel_one.alert.target.process.proc.cmdline,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,887,sentinel_one.alert.target.process.proc.image_path,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,956,sentinel_one.alert.target.process.proc.integrity_level,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,934,sentinel_one.alert.target.process.proc.name,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,914,sentinel_one.alert.target.process.proc.pid,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,892,sentinel_one.alert.target.process.proc.signed_status,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,909,sentinel_one.alert.target.process.proc.storyline_id,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,973,sentinel_one.alert.target.process.proc.uid,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,978,sentinel_one.alert.target.process.start_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,346,sentinel_one.unified_alert.detection_time.target_user,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,628,sentinel_one.unified_alert.detection_time.target_user.domain,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,349,sentinel_one.unified_alert.detection_time.target_user.domain,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,633,sentinel_one.unified_alert.detection_time.target_user.email_address,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,352,sentinel_one.unified_alert.detection_time.target_user.email_address,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,638,sentinel_one.unified_alert.detection_time.target_user.name,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,355,sentinel_one.unified_alert.detection_time.target_user.name,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,396,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,469,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,407,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,472,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,468,sentinel_one.unified_alert.slo_details.time_to_response_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,493,sentinel_one.unified_alert.slo_details.time_to_response_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,479,sentinel_one.unified_alert.slo_details.time_to_response_data.target_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,496,sentinel_one.unified_alert.slo_details.time_to_response_data.target_time,vendor_root,entity_target_generic
+sentinel_one,alert,expected_json,packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sentinel_one,unified_alert,expected_json,packages/sentinel_one/data_stream/unified_alert/_dev/test/pipeline/test-pipeline-unified-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,205,target.process,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,208,target.process.file,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,211,target.process.file.hash,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,214,target.process.file.hash.sha1,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,217,target.process.file.hash.sha256,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,220,target.process.file.id,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,223,target.process.file.is_signed,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,226,target.process.file.old_path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,229,target.process.file.path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,232,target.process.proc,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,235,target.process.proc.cmdline,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,238,target.process.proc.image_path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,241,target.process.proc.integrity_level,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,244,target.process.proc.name,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,247,target.process.proc.pid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,250,target.process.proc.signed_status,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,253,target.process.proc.storyline_id,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,256,target.process.proc.uid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,259,target.process.start_time,other_vendor_or_nested,entity_target_generic
+sentinel_one,unified_alert,expected_json,packages/sentinel_one/data_stream/unified_alert/_dev/test/pipeline/test-pipeline-unified-alert.log-expected.json,0,target_time,other_vendor_or_nested,entity_target_generic
+sentinel_one,unified_alert,expected_json,packages/sentinel_one/data_stream/unified_alert/_dev/test/pipeline/test-pipeline-unified-alert.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,230,relationships.attributes.target_file,other_vendor_or_nested,entity_target_generic
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,232,relationships.attributes.target_reference,other_vendor_or_nested,entity_target_generic
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,234,relationships.attributes.target_runtime,other_vendor_or_nested,entity_target_generic
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,295,relationships.relationships.target,other_vendor_or_nested,entity_target_generic
+snyk,issues,ingest_pipeline,packages/snyk/data_stream/issues/elasticsearch/ingest_pipeline/default.yml,165,snyk.issues.relationships.scan_item.data.relationships.target.links.related,vendor_root,entity_target_generic
+snyk,issues,ingest_pipeline,packages/snyk/data_stream/issues/elasticsearch/ingest_pipeline/default.yml,166,snyk.issues.relationships.scan_item.data.relationships.target.links.related.href,vendor_root,entity_target_generic
+snyk,audit_logs,expected_json,packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+snyk,audit_logs,expected_json,packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json,0,targetFile,other_vendor_or_nested,entity_target_generic
+snyk,audit_logs,expected_json,packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target_file,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target_reference,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target_runtime,other_vendor_or_nested,entity_target_generic
+sophos,xg,fields_yml_nested,packages/sophos/data_stream/xg/fields/fields.yml,691,sophos.xg.target,vendor_root,entity_target_generic
+sophos,xg,expected_json,packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18-5-idp.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sophos,xg,expected_json,packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+splunk,alert,fields_yml_nested,packages/splunk/data_stream/alert/fields/fields.yml,23,splunk.alert.Target_Account_Name,vendor_root,entity_target_generic
+splunk,alert,fields_yml_nested,packages/splunk/data_stream/alert/fields/fields.yml,109,splunk.alert.breach_target_references,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,1993,json.assets.target_domain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2003,json.assets.target_subdomain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2013,json.assets.target_url,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,445,json.target_domain,other_vendor_or_nested,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,428,json.target_domain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,455,json.target_subdomain,other_vendor_or_nested,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,438,json.target_subdomain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,465,json.target_url,other_vendor_or_nested,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,448,json.target_url,other_vendor_or_nested,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,687,spycloud.breach_catalog.assets.target,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,1995,spycloud.breach_catalog.assets.target.domain,vendor_root,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,690,spycloud.breach_catalog.assets.target.domain,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2005,spycloud.breach_catalog.assets.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,693,spycloud.breach_catalog.assets.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2015,spycloud.breach_catalog.assets.target.url,vendor_root,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,696,spycloud.breach_catalog.assets.target.url,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,154,spycloud.breach_record.target,vendor_root,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,447,spycloud.breach_record.target.domain,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,157,spycloud.breach_record.target.domain,vendor_root,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,457,spycloud.breach_record.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,160,spycloud.breach_record.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,467,spycloud.breach_record.target.url,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,163,spycloud.breach_record.target.url,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,145,spycloud.compass.target,vendor_root,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,430,spycloud.compass.target.domain,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,148,spycloud.compass.target.domain,vendor_root,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,440,spycloud.compass.target.subdomain,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,151,spycloud.compass.target.subdomain,vendor_root,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,450,spycloud.compass.target.url,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,154,spycloud.compass.target.url,vendor_root,entity_target_generic
+spycloud,breach_catalog,expected_json,packages/spycloud/data_stream/breach_catalog/_dev/test/pipeline/test-breach-catalog.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,expected_json,packages/spycloud/data_stream/breach_record/_dev/test/pipeline/test-breach-record.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+spycloud,compass,expected_json,packages/spycloud/data_stream/compass/_dev/test/pipeline/test-compass.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+suricata,eve,fields_yml_nested,packages/suricata/data_stream/eve/fields/fields.yml,106,alert.attack_target,other_vendor_or_nested,entity_target_generic
+suricata,eve,expected_json,packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json,0,attack_target,other_vendor_or_nested,entity_target_generic
+suricata,eve,ingest_pipeline,packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml,463,suricata.eve.alert.attack_target,vendor_root,entity_target_generic
+suricata,eve,ingest_pipeline,packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml,462,suricata.eve.alert.metadata.attack_target,vendor_root,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/fields.yml,5626,ses.rule_criteria_target,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/fields.yml,6187,ses.target,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/fields.yml,6190,ses.target_name,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,57,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,59,winlog.event_data.TargetName,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,61,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,63,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+sysdig,cspm,fields_yml_nested,packages/sysdig/data_stream/cspm/fields/fields.yml,65,sysdig.cspm.control.target,vendor_root,entity_target_generic
+sysdig,cspm,expected_json,packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,224,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,ingest_pipeline,packages/sysmon_linux/data_stream/log/elasticsearch/ingest_pipeline/default.yml,550,winlog.event_data.TargetFilename,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,226,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,228,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,230,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,232,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,234,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,236,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details_whats_actions.yml,34,_action.target.file.modification_time,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details_whats_actions.yml,76,_action.target.file.size_bytes,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details_whats.yml,156,_what.artifact_activity.acting_artifact.is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-deep.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-match-details-empty-map-value.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-new-default.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-threat-response.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,126,match_details.finding.whats.acting_artifact.is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,359,match_details.finding.whats.relevant_actions.is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_flat,packages/tanium/data_stream/threat_response/fields/fields.yml,317,relevant_actions.target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,915,state.target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,918,state.target.eid,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,921,state.target.hostname,other_vendor_or_nested,likely_host_target_or_entity
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details.yml,205,tanium.threat_response.match_details.finding.whats.artifact_activity.relevant_actions.target.file.size_bytes,vendor_root,entity_target_generic
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/default.yml,192,tanium.threat_response.state.target.hostname,vendor_root,likely_host_target_or_entity
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-deep.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-match-details-empty-map-value.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-new-default.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-threat-response.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+teleport,audit,fields_yml_nested,packages/teleport/data_stream/audit/fields/fields.yml,652,dynamodb.target,other_vendor_or_nested,entity_target_generic
+teleport,audit,fields_yml_nested,packages/teleport/data_stream/audit/fields/fields.yml,631,elasticsearch.target,other_vendor_or_nested,entity_target_generic
+teleport,audit,fields_yml_nested,packages/teleport/data_stream/audit/fields/fields.yml,645,opensearch.target,other_vendor_or_nested,entity_target_generic
+teleport,audit,expected_json,packages/teleport/data_stream/audit/_dev/test/pipeline/test-teleport-all-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,1402,teleport.audit.database.dynamodb.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,1360,teleport.audit.database.elasticsearch.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,1396,teleport.audit.database.opensearch.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,305,teleport.audit.lock.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,701,teleport.audit.sftp.target_path,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,303,teleport.audit.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,700,teleport.audit.target_path,vendor_root,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1204,json.plugin.vpr_v2.targeted_industries,other_vendor_or_nested,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1209,json.plugin.vpr_v2.targeted_regions,other_vendor_or_nested,entity_target_generic
+tenable_io,vulnerability,fields_yml_nested,packages/tenable_io/data_stream/vulnerability/fields/fields.yml,492,plugin.vpr_v2.targeted_industries,other_vendor_or_nested,entity_target_generic
+tenable_io,vulnerability,fields_yml_nested,packages/tenable_io/data_stream/vulnerability/fields/fields.yml,495,plugin.vpr_v2.targeted_regions,other_vendor_or_nested,entity_target_generic
+tenable_io,scan,fields_yml_nested,packages/tenable_io/data_stream/scan/fields/fields.yml,104,scan_details.target,other_vendor_or_nested,entity_target_generic
+tenable_io,audit,expected_json,packages/tenable_io/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tenable_io,scan,expected_json,packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,41,tenable_io.audit.target,vendor_root,entity_target_generic
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,319,tenable_io.audit.target.id,vendor_root,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,44,tenable_io.audit.target.id,vendor_root,entity_target_generic
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,331,tenable_io.audit.target.name,vendor_root,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,47,tenable_io.audit.target.name,vendor_root,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,50,tenable_io.audit.target.type,vendor_root,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1206,tenable_io.vulnerability.plugin.vpr_v2.targeted_industries,vendor_root,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1211,tenable_io.vulnerability.plugin.vpr_v2.targeted_regions,vendor_root,entity_target_generic
+tenable_io,scan,expected_json,packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json,0,total_targets,other_vendor_or_nested,entity_target_generic
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,336,user.target.email,ecs_top_level,likely_user_target_or_entity
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,317,user.target.id,ecs_top_level,likely_user_target_or_entity
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,329,user.target.name,ecs_top_level,likely_user_target_or_entity
+ti_crowdstrike,intel,ingest_pipeline,packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml,301,json.targets,other_vendor_or_nested,entity_target_generic
+ti_crowdstrike,intel,expected_json,packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+ti_crowdstrike,intel,ingest_pipeline,packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml,303,ti_crowdstrike.intel.targets,vendor_root,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1530,_ingest._value.target_file_name,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1542,_ingest._value.target_object,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1528,_ingest._value.values.TargetFilename,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1540,_ingest._value.values.TargetObject,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,fields_yml_nested,packages/ti_google_threat_intelligence/data_stream/ioc_stream/fields/fields.yml,920,gti.ioc_stream.attributes.sigma_analysis_results.match_context.target_file_name,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,fields_yml_nested,packages/ti_google_threat_intelligence/data_stream/ioc_stream/fields/fields.yml,923,gti.ioc_stream.attributes.sigma_analysis_results.match_context.target_object,other_vendor_or_nested,entity_target_generic
+ti_otx,pulses_subscribed,fields_yml_nested,packages/ti_otx/data_stream/pulses_subscribed/fields/fields.yml,71,otx.pulse.targeted_countries,other_vendor_or_nested,entity_target_generic
+ti_otx,pulses_subscribed,expected_json,packages/ti_otx/data_stream/pulses_subscribed/_dev/test/pipeline/test-otx-pulses-subscribed-json.log-expected.json,0,targeted_countries,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,277,recordedfuture.playbook_alert.panel_evidence_summary.summary.targets,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,280,recordedfuture.playbook_alert.panel_evidence_summary.summary.targets.name,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,527,recordedfuture.playbook_alert.panel_status.targets,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,529,recordedfuture.playbook_alert.panel_status.targets_str,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,expected_json,packages/ti_recordedfuture/data_stream/playbook_alert/_dev/test/pipeline/test-playbook-alert.log-expected.json,0,target_entities,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,expected_json,packages/ti_recordedfuture/data_stream/playbook_alert/_dev/test/pipeline/test-playbook-alert.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,expected_json,packages/ti_recordedfuture/data_stream/playbook_alert/_dev/test/pipeline/test-playbook-alert.log-expected.json,0,targets_str,other_vendor_or_nested,entity_target_generic
+ti_threatq,threat,expected_json,packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-no-preserve-ndjson.log-expected.json,0,related_exploit_target_count,other_vendor_or_nested,entity_target_generic
+ti_threatq,threat,ingest_pipeline,packages/ti_threatq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml,904,threatq.related_exploit_target_count,other_vendor_or_nested,entity_target_generic
+ti_threatq,threat,fields_yml_nested,packages/ti_threatq/data_stream/threat/fields/fields.yml,91,threatq.related_exploit_target_count,other_vendor_or_nested,entity_target_generic
+trellix_edr_cloud,event,ingest_pipeline,packages/trellix_edr_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,756,json.targetPid,other_vendor_or_nested,entity_target_generic
+trellix_edr_cloud,event,expected_json,packages/trellix_edr_cloud/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_pid,other_vendor_or_nested,entity_target_generic
+trellix_edr_cloud,event,ingest_pipeline,packages/trellix_edr_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,758,trellix_edr_cloud.event.target_pid,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,221,json.attributes.targetfilename,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,557,json.attributes.targethash,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,61,json.attributes.targethostname,other_vendor_or_nested,likely_host_target_or_entity
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,84,json.attributes.targetipv4,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,104,json.attributes.targetipv6,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,135,json.attributes.targetmac,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,159,json.attributes.targetport,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,561,json.attributes.targetprocessname,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,565,json.attributes.targetprotocol,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,174,json.attributes.targetusername,other_vendor_or_nested,likely_user_target_or_entity
+trellix_epo_cloud,event,expected_json,packages/trellix_epo_cloud/data_stream/event/_dev/test/pipeline/test-pipeline-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,85,trellix_epo_cloud.event.attributes.target,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,222,trellix_epo_cloud.event.attributes.target.file_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,88,trellix_epo_cloud.event.attributes.target.file_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,558,trellix_epo_cloud.event.attributes.target.hash,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,90,trellix_epo_cloud.event.attributes.target.hash,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,62,trellix_epo_cloud.event.attributes.target.hostname,vendor_root,likely_host_target_or_entity
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,92,trellix_epo_cloud.event.attributes.target.hostname,vendor_root,likely_host_target_or_entity
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,86,trellix_epo_cloud.event.attributes.target.ipv4,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,94,trellix_epo_cloud.event.attributes.target.ipv4,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,116,trellix_epo_cloud.event.attributes.target.ipv6,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,96,trellix_epo_cloud.event.attributes.target.ipv6,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,151,trellix_epo_cloud.event.attributes.target.mac,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,98,trellix_epo_cloud.event.attributes.target.mac,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,161,trellix_epo_cloud.event.attributes.target.port,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,100,trellix_epo_cloud.event.attributes.target.port,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,562,trellix_epo_cloud.event.attributes.target.process_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,102,trellix_epo_cloud.event.attributes.target.process_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,566,trellix_epo_cloud.event.attributes.target.protocol,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,104,trellix_epo_cloud.event.attributes.target.protocol,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,175,trellix_epo_cloud.event.attributes.target.user_name,vendor_root,likely_user_target_or_entity
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,106,trellix_epo_cloud.event.attributes.target.user_name,vendor_root,likely_user_target_or_entity
+trend_micro_vision_one,endpoint_activity,expected_json,packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+trend_micro_vision_one,endpoint_activity,ingest_pipeline,packages/trend_micro_vision_one/data_stream/endpoint_activity/elasticsearch/ingest_pipeline/default.yml,1150,user.target.name,ecs_top_level,likely_user_target_or_entity
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,640,cef.extensions.TrendMicroDsMalwareTarget,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,625,cef.extensions.TrendMicroDsMalwareTargetCount,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,635,cef.extensions.TrendMicroDsMalwareTargetType,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,557,cef.extensions.target,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,562,cef.extensions.targetID,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,expected_json,packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,229,trendmicro.deep_security.target,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,564,trendmicro.deep_security.target.id,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,232,trendmicro.deep_security.target.id,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,559,trendmicro.deep_security.target.value,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,235,trendmicro.deep_security.target.value,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,277,trendmicro.deep_security.trendmicro.ds_malware_target,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,627,trendmicro.deep_security.trendmicro.ds_malware_target.count,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,280,trendmicro.deep_security.trendmicro.ds_malware_target.count,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,637,trendmicro.deep_security.trendmicro.ds_malware_target.type,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,283,trendmicro.deep_security.trendmicro.ds_malware_target.type,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,642,trendmicro.deep_security.trendmicro.ds_malware_target.value,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,286,trendmicro.deep_security.trendmicro.ds_malware_target.value,vendor_root,entity_target_generic
+unifiedlogs,,fields_yml_nested,packages/unifiedlogs/fields/apple-event.yml,23,apple_event.target_process,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-account-detection.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-account-lockdown.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-account-scoring.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-host-detection.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,168,user.target.email,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,78,user.target.id,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,44,user.target.id,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,167,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml,174,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,63,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,87,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml,286,user.target.name,ecs_top_level,likely_user_target_or_entity
+watchguard_firebox,log,expected_json,packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+watchguard_firebox,log,fields_yml_nested,packages/watchguard_firebox/data_stream/log/fields/fields.yml,569,watchguard_firebox.log.target,vendor_root,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5145.json-expected.json,0,RelativeTargetName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4742.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003-common-name.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,expected_json,packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003-common-name.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,expected_json,packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,expected_json,packages/windows/data_stream/applocker_packaged_app_deployment/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-deployment.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,expected_json,packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4742.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003-common-name.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,expected_json,packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,expected_json,packages/windows/data_stream/applocker_packaged_app_deployment/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-deployment.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,expected_json,packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4742.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5145.json-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3928,user.target.name,ecs_top_level,likely_user_target_or_entity
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3934,winlog.event_data.NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,274,winlog.event_data.NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3929,winlog.event_data.OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,316,winlog.event_data.OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,446,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,241,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml,603,winlog.event_data.TargetFilename,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,ingest_pipeline,packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml,603,winlog.event_data.TargetFilename,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,243,winlog.event_data.TargetImage,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,448,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,245,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,450,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,247,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3418,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,452,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,249,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml,1435,winlog.event_data.TargetProcessGUID,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,ingest_pipeline,packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml,1435,winlog.event_data.TargetProcessGUID,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,251,winlog.event_data.TargetProcessGUID,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml,1434,winlog.event_data.TargetProcessGuid,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,ingest_pipeline,packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml,1434,winlog.event_data.TargetProcessGuid,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,253,winlog.event_data.TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,454,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,255,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,456,winlog.event_data.TargetSid,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,458,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,257,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,460,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,259,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,ingest_pipeline,packages/windows/data_stream/windows_defender/elasticsearch/ingest_pipeline/default.yml,226,winlog.event_data.Target_Commandline,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,513,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,ingest_pipeline,packages/windows/data_stream/applocker_exe_and_dll/elasticsearch/ingest_pipeline/default.yml,145,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,ingest_pipeline,packages/windows/data_stream/applocker_msi_and_script/elasticsearch/ingest_pipeline/default.yml,145,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,ingest_pipeline,packages/windows/data_stream/applocker_packaged_app_deployment/elasticsearch/ingest_pipeline/default.yml,137,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,ingest_pipeline,packages/windows/data_stream/applocker_packaged_app_execution/elasticsearch/ingest_pipeline/default.yml,137,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,515,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,511,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,239,winlog.event_data.NewTargetUserName,vendor_root,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,275,winlog.event_data.OldTargetUserName,vendor_root,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,399,winlog.event_data.TargetDomainName,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,401,winlog.event_data.TargetInfo,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,403,winlog.event_data.TargetLogonGuid,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,405,winlog.event_data.TargetLogonId,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,407,winlog.event_data.TargetServerName,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,409,winlog.event_data.TargetSid,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,411,winlog.event_data.TargetUserName,vendor_root,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,413,winlog.event_data.TargetUserSid,vendor_root,likely_user_target_or_entity
+withsecure_elements,security_events,expected_json,packages/withsecure_elements/data_stream/security_events/_dev/test/pipeline/test-security-event.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,226,withsecure_elements.security_events.details.targetCommandLine,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,139,withsecure_elements.security_events.details.targetData,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,211,withsecure_elements.security_events.details.targetPath,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,214,withsecure_elements.security_events.details.targetSha1,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,217,withsecure_elements.security_events.details.targetSha256,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,55,withsecure_elements.security_events.target,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,59,withsecure_elements.security_events.target.id,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,62,withsecure_elements.security_events.target.name,vendor_root,entity_target_generic
+zoom,webhook,expected_json,packages/zoom/data_stream/webhook/_dev/test/pipeline/test-account.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+zoom,webhook,expected_json,packages/zoom/data_stream/webhook/_dev/test/pipeline/test-user.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,54,user.target.email,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,128,user.target.email,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,70,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,136,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,50,user.target.id,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,120,user.target.id,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,74,user.target.name,ecs_top_level,likely_user_target_or_entity
diff --git a/dev/target-fields-audit/out/security/vendor_target_special_cases_report.md b/dev/target-fields-audit/out/security/vendor_target_special_cases_report.md
new file mode 100644
index 00000000000..8b3d596393d
--- /dev/null
+++ b/dev/target-fields-audit/out/security/vendor_target_special_cases_report.md
@@ -0,0 +1,71 @@
+# Vendor / integration `*target*` special cases
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-14T09:24:44Z
+- **integration packages in scope:** 273
+- **filter:** Only integrations whose root `packages/<name>/manifest.yml` includes the `security` category.
+
+- **deduplicated field hits:** 1642
+- **unique packages with any hit:** 105
+- **unique packages with vendor-namespaced `*target*` paths:** 58
+
+## What was scanned
+
+| Surface | Scope |
+| --- | --- |
+| `fields/**/*.yml` | Flat `- name: a.b.target...` and nested `- name:` stack paths containing `target`. |
+| `elasticsearch/ingest_pipeline/*.{yml,yaml}` | `target_field`, `field`, `copy_from` values containing `target`. |
+| `*_dev/test/pipeline/*expected.json` | Quoted dotted JSON keys containing `target` (truncated read). |
+
+## Namespace classification
+
+| `namespace_class` | Meaning |
+| --- | --- |
+| `vendor_root` / `vendor_namespaced` | First path segment matches the integration package slug (e.g. `okta.target`). |
+| `ecs_top_level` | Starts with common ECS top-level field (e.g. `file.target_path`). |
+| `other_vendor_or_nested` | Other dotted paths (nested vendor, transforms, rare shapes). |
+
+## `suggest_bucket` (heuristic only)
+
+Keyword-based guess for runtime `CASE` prioritisation — **not** a product mapping decision.
+
+## Counts by namespace_class
+
+- **other_vendor_or_nested:** 1043
+- **vendor_root:** 501
+- **ecs_top_level:** 98
+
+## Machine-readable outputs
+
+- All hits: [`vendor_target_special_cases.csv`](vendor_target_special_cases.csv)
+- Triage playbook: [`../VENDOR_TARGET_ANALYSIS_PLAN.md`](../VENDOR_TARGET_ANALYSIS_PLAN.md)
+
+## Packages with most distinct `field_path` values (top 25)
+
+| package | distinct_field_paths |
+| --- | ---: |
+| google_secops | 67 |
+| canva | 63 |
+| sentinel_one | 62 |
+| azure | 50 |
+| aws | 48 |
+| crowdstrike | 42 |
+| jamf_protect | 37 |
+| windows | 32 |
+| gcp | 27 |
+| google_workspace | 27 |
+| eset_protect | 22 |
+| trellix_epo_cloud | 22 |
+| o365 | 19 |
+| osquery_manager | 19 |
+| spycloud | 19 |
+| cyberark_epm | 18 |
+| m365_defender | 17 |
+| cisco_duo | 16 |
+| mongodb_atlas | 16 |
+| tenable_io | 16 |
+| microsoft_intune | 14 |
+| okta | 13 |
+| tanium | 13 |
+| trendmicro | 13 |
+| snyk | 12 |
\ No newline at end of file
diff --git a/dev/target-fields-audit/out/target_enhancement_packages.csv b/dev/target-fields-audit/out/target_enhancement_packages.csv
new file mode 100644
index 00000000000..97381df69f5
--- /dev/null
+++ b/dev/target-fields-audit/out/target_enhancement_packages.csv
@@ -0,0 +1,446 @@
+package,priority,ecs_target_tierA_audit,pipeline_dest_identity,pipeline_dest_network,pipeline_actor,pipeline_entity_other,fixture_strong,docs_lexicon
+amazon_security_lake,already_maps_ecs_target,true,true,true,true,false,true,false
+atlassian_bitbucket,already_maps_ecs_target,true,false,false,true,false,true,false
+atlassian_confluence,already_maps_ecs_target,true,false,false,true,false,true,false
+atlassian_jira,already_maps_ecs_target,true,false,false,true,false,true,false
+aws,already_maps_ecs_target,true,true,true,true,true,true,true
+box_events,already_maps_ecs_target,true,false,false,false,false,true,true
+canva,already_maps_ecs_target,true,false,false,true,true,true,false
+cisco_duo,already_maps_ecs_target,true,false,false,true,false,true,false
+crowdstrike,already_maps_ecs_target,true,true,true,true,false,true,true
+cyberarkpas,already_maps_ecs_target,true,true,true,true,false,true,false
+gcp,already_maps_ecs_target,true,true,true,true,true,true,true
+github,already_maps_ecs_target,true,false,false,false,false,true,false
+google_workspace,already_maps_ecs_target,true,false,false,true,true,true,true
+hpe_aruba_cx,already_maps_ecs_target,true,false,true,false,false,true,false
+keycloak,already_maps_ecs_target,true,false,false,false,false,true,true
+mattermost,already_maps_ecs_target,true,false,false,true,false,true,false
+microsoft_sqlserver,already_maps_ecs_target,true,false,false,true,false,true,true
+mysql_enterprise,already_maps_ecs_target,true,false,false,false,false,true,false
+netskope,already_maps_ecs_target,true,true,true,false,false,true,false
+o365,already_maps_ecs_target,true,true,true,true,false,true,false
+okta,already_maps_ecs_target,true,false,true,true,false,true,false
+qnap_nas,already_maps_ecs_target,true,false,false,false,false,true,false
+system,already_maps_ecs_target,true,false,true,true,false,true,true
+tenable_io,already_maps_ecs_target,true,false,false,false,false,true,false
+trend_micro_vision_one,already_maps_ecs_target,true,true,true,true,false,true,false
+vectra_detect,already_maps_ecs_target,true,true,true,false,false,true,true
+windows,already_maps_ecs_target,true,true,true,true,false,true,true
+zoom,already_maps_ecs_target,true,true,false,true,false,true,false
+zscaler_zpa,already_maps_ecs_target,true,false,false,false,false,false,false
+azure_billing,exploratory_docs,false,false,false,false,false,false,true
+azure_functions,exploratory_docs,false,false,false,false,false,false,true
+azure_metrics,exploratory_docs,false,false,false,false,false,false,true
+fortinet_fortiedr,exploratory_docs,false,false,false,false,false,false,true
+kubernetes,exploratory_docs,false,false,false,false,false,false,true
+microsoft_sentinel,exploratory_docs,false,false,false,false,false,false,true
+ti_opencti,exploratory_docs,false,false,false,false,false,false,true
+ti_threatconnect,exploratory_docs,false,false,false,false,false,false,true
+verifier_otel,exploratory_docs,false,false,false,false,false,false,true
+winlog,exploratory_docs,false,false,false,false,false,false,true
+1password,moderate_candidate,false,false,false,false,false,true,false
+airlock_digital,moderate_candidate,false,false,false,false,false,true,false
+auditd,moderate_candidate,false,false,true,false,false,true,false
+auditd_manager,moderate_candidate,false,false,true,false,false,true,false
+aws_bedrock_agentcore,moderate_candidate,false,false,false,false,false,true,false
+azure_network_watcher_vnet,moderate_candidate,false,false,true,false,false,true,true
+bbot,moderate_candidate,false,false,false,false,false,true,false
+bitdefender,moderate_candidate,false,false,true,false,false,true,false
+carbonblack_edr,moderate_candidate,false,false,false,false,false,true,false
+cisco_ise,moderate_candidate,false,false,true,false,false,true,false
+cyberark_epm,moderate_candidate,false,false,false,false,false,true,true
+cyera,moderate_candidate,false,false,false,false,false,true,false
+darktrace,moderate_candidate,false,false,false,false,false,true,false
+dataminr_pulse,moderate_candidate,false,false,false,false,true,false,true
+eset_protect,moderate_candidate,false,false,true,false,false,true,false
+fim,moderate_candidate,false,false,false,false,false,true,false
+forgerock,moderate_candidate,false,false,false,false,false,true,false
+gitlab,moderate_candidate,false,false,true,false,false,true,false
+greenhouse,moderate_candidate,false,false,false,false,false,true,false
+hid_bravura_monitor,moderate_candidate,false,false,false,false,false,true,false
+infoblox_bloxone_ddi,moderate_candidate,false,false,false,false,false,true,true
+island_browser,moderate_candidate,false,false,false,false,false,true,true
+jamf_compliance_reporter,moderate_candidate,false,false,false,false,false,true,false
+jamf_pro,moderate_candidate,false,false,false,false,false,true,false
+lumos,moderate_candidate,false,false,false,false,false,true,false
+microsoft_defender_cloud,moderate_candidate,false,false,false,false,false,true,true
+microsoft_exchange_server,moderate_candidate,false,false,false,false,false,true,false
+mongodb,moderate_candidate,false,false,false,false,false,true,false
+mongodb_atlas,moderate_candidate,false,false,false,false,false,true,false
+pps,moderate_candidate,false,false,false,false,false,true,false
+prisma_cloud,moderate_candidate,false,false,false,false,false,true,false
+proofpoint_itm,moderate_candidate,false,false,false,false,false,true,false
+rubrik,moderate_candidate,false,false,false,false,false,true,false
+sailpoint_identity_sc,moderate_candidate,false,false,false,false,false,true,false
+santa,moderate_candidate,false,false,false,false,false,true,false
+sentinel_one,moderate_candidate,false,false,true,false,false,true,true
+slack,moderate_candidate,false,false,false,false,true,false,false
+snyk,moderate_candidate,false,false,false,false,false,true,false
+symantec_endpoint_security,moderate_candidate,false,false,true,false,false,true,true
+sysdig,moderate_candidate,false,false,false,false,false,true,false
+tanium,moderate_candidate,false,false,false,false,false,true,true
+tencent_cloud,moderate_candidate,false,false,true,false,false,true,false
+ti_crowdstrike,moderate_candidate,false,false,false,false,false,true,false
+ti_cyware_intel_exchange,moderate_candidate,false,false,false,false,false,true,true
+ti_otx,moderate_candidate,false,false,false,false,false,true,false
+ti_recordedfuture,moderate_candidate,false,false,false,false,false,true,true
+ti_threatq,moderate_candidate,false,false,false,false,false,true,false
+trellix_edr_cloud,moderate_candidate,false,false,true,false,false,true,false
+vectra_rux,moderate_candidate,false,false,false,false,true,false,false
+withsecure_elements,moderate_candidate,false,false,false,false,false,true,false
+wiz,moderate_candidate,false,false,true,false,false,true,true
+zerofox,moderate_candidate,false,false,false,false,true,false,false
+azure_network_watcher_nsg,moderate_candidate_network_dest,false,false,true,false,false,false,false
+barracuda,moderate_candidate_network_dest,false,false,true,false,false,false,false
+beelzebub,moderate_candidate_network_dest,false,false,true,false,false,false,false
+bluecoat,moderate_candidate_network_dest,false,false,true,false,false,false,true
+checkpoint_harmony_endpoint,moderate_candidate_network_dest,false,false,true,false,false,false,true
+cisco_aironet,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cisco_meraki,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cisco_secure_email_gateway,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cisco_secure_endpoint,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cloudflare,moderate_candidate_network_dest,false,false,true,false,false,false,false
+coredns,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cybereason,moderate_candidate_network_dest,false,false,true,false,false,false,false
+cylance,moderate_candidate_network_dest,false,false,true,false,false,false,true
+endace,moderate_candidate_network_dest,false,false,true,false,false,false,false
+envoyproxy,moderate_candidate_network_dest,false,false,true,false,false,false,false
+extrahop,moderate_candidate_network_dest,false,false,true,false,false,false,true
+forcepoint_web,moderate_candidate_network_dest,false,false,true,false,false,false,false
+fortinet_forticlient,moderate_candidate_network_dest,false,false,true,false,false,false,true
+fortinet_fortimanager,moderate_candidate_network_dest,false,false,true,false,false,false,false
+fortinet_fortiproxy,moderate_candidate_network_dest,false,false,true,false,false,false,false
+gigamon,moderate_candidate_network_dest,false,false,true,false,false,false,false
+goflow2,moderate_candidate_network_dest,false,false,true,false,false,false,false
+ibmmq,moderate_candidate_network_dest,false,false,true,false,false,false,false
+imperva_cloud_waf,moderate_candidate_network_dest,false,false,true,false,false,false,false
+iptables,moderate_candidate_network_dest,false,false,true,false,false,false,false
+juniper_junos,moderate_candidate_network_dest,false,false,true,false,false,false,true
+juniper_netscreen,moderate_candidate_network_dest,false,false,true,false,false,false,true
+macos,moderate_candidate_network_dest,false,false,true,false,false,false,false
+menlo,moderate_candidate_network_dest,false,false,true,false,false,false,false
+microsoft_dnsserver,moderate_candidate_network_dest,false,false,true,false,false,false,true
+mimecast,moderate_candidate_network_dest,false,false,true,false,false,false,true
+modsecurity,moderate_candidate_network_dest,false,false,true,false,false,false,false
+netflow,moderate_candidate_network_dest,false,false,true,false,false,false,false
+netscout,moderate_candidate_network_dest,false,false,true,false,false,false,true
+network_traffic,moderate_candidate_network_dest,false,false,true,false,false,false,false
+panw_cortex_xdr,moderate_candidate_network_dest,false,false,true,false,false,false,false
+proofpoint_365totalprotection,moderate_candidate_network_dest,false,false,true,false,false,false,false
+proofpoint_essentials,moderate_candidate_network_dest,false,false,true,false,false,false,false
+proofpoint_tap,moderate_candidate_network_dest,false,false,true,false,false,false,false
+radware,moderate_candidate_network_dest,false,false,true,false,false,false,true
+snort,moderate_candidate_network_dest,false,false,true,false,false,false,false
+tenable_ot_security,moderate_candidate_network_dest,false,false,true,false,false,false,false
+tomcat,moderate_candidate_network_dest,false,false,true,false,false,false,true
+vsphere,moderate_candidate_network_dest,false,false,true,false,false,false,false
+zeek,moderate_candidate_network_dest,false,false,true,false,false,false,true
+activemq,none,false,false,false,false,false,false,false
+activemq_otel,none,false,false,false,false,false,false,false
+admin_by_request_epm,none,false,false,false,false,false,false,false
+agentless_hello_world,none,false,false,false,false,false,false,false
+airflow,none,false,false,false,false,false,false,false
+airflow_otel,none,false,false,false,false,false,false,false
+akamai,none,false,false,false,false,false,false,false
+apache_input_otel,none,false,false,false,false,false,false,false
+apache_otel,none,false,false,false,false,false,false,false
+apache_spark,none,false,false,false,false,false,false,false
+apache_tomcat_otel,none,false,false,false,false,false,false,false
+apm,none,false,false,false,false,false,false,false
+armis,none,false,false,false,false,false,false,false
+auth0,none,false,false,false,false,false,false,false
+authentik,none,false,false,false,false,false,false,false
+aws_bedrock,none,false,false,false,false,false,false,false
+aws_billing,none,false,false,false,false,false,false,false
+aws_cloudtrail_otel,none,false,false,false,false,false,false,false
+aws_elb_otel,none,false,false,false,false,false,false,false
+aws_logs,none,false,false,false,false,false,false,false
+aws_mq,none,false,false,false,false,false,false,false
+aws_securityhub,none,false,false,false,false,false,false,false
+aws_vpcflow_otel,none,false,false,false,false,false,false,false
+aws_waf_otel,none,false,false,false,false,false,false,false
+awsfargate,none,false,false,false,false,false,false,false
+awsfirehose,none,false,false,false,false,false,false,false
+azure_activity_otel,none,false,false,false,false,false,false,false
+azure_ai_foundry,none,false,false,false,false,false,false,false
+azure_app_service,none,false,false,false,false,false,false,false
+azure_application_insights,none,false,false,false,false,false,false,false
+azure_blob_storage,none,false,false,false,false,false,false,false
+azure_frontdoor,none,false,false,false,false,false,false,false
+azure_logs,none,false,false,false,false,false,false,false
+azure_openai,none,false,false,false,false,false,false,false
+beaconing,none,false,false,false,false,false,false,false
+beat,none,false,false,false,false,false,false,false
+beyondinsight_password_safe,none,false,false,false,false,false,false,false
+bitsight,none,false,false,false,false,false,false,false
+blacklens,none,false,false,false,false,false,false,false
+cassandra,none,false,false,false,false,false,false,false
+cassandra_otel,none,false,false,false,false,false,false,false
+cel,none,false,false,false,false,false,false,false
+ceph,none,false,false,false,false,false,false,false
+cisa_kevs,none,false,false,false,false,false,false,false
+cisco_meraki_metrics,none,false,false,false,false,false,false,false
+cisco_nexus,none,false,false,false,false,false,false,false
+citrix_waf,none,false,false,false,false,false,false,false
+cloud_asset_inventory,none,false,false,false,false,false,false,false
+cloud_defend,none,false,false,false,false,false,false,false
+cloud_security_posture,none,false,false,false,false,false,false,false
+cockroachdb,none,false,false,false,false,false,false,false
+cockroachdb_otel,none,false,false,false,false,false,false,false
+containerd,none,false,false,false,false,false,false,false
+corelight,none,false,false,false,false,false,false,false
+couchbase,none,false,false,false,false,false,false,false
+couchdb,none,false,false,false,false,false,false,false
+couchdb_otel,none,false,false,false,false,false,false,false
+cribl,none,false,false,false,false,false,false,false
+ded,none,false,false,false,false,false,false,false
+dga,none,false,false,false,false,false,false,false
+digital_guardian,none,false,false,false,false,false,false,false
+docker,none,false,false,false,false,false,false,false
+docker_input_otel,none,false,false,false,false,false,false,false
+docker_otel,none,false,false,false,false,false,false,false
+ece,none,false,false,false,false,false,false,false
+elastic_agent,none,false,false,false,false,false,false,false
+elastic_connectors,none,false,false,false,false,false,false,false
+elastic_package_registry,none,false,false,false,false,false,false,false
+elastic_security,none,false,false,false,false,false,false,false
+elasticapm_input_otel,none,false,false,false,false,false,false,false
+elasticsearch,none,false,false,false,false,false,false,false
+enterprisesearch,none,false,false,false,false,false,false,false
+entityanalytics_ad,none,false,false,false,false,false,false,false
+entityanalytics_entra_id,none,false,false,false,false,false,false,false
+entityanalytics_okta,none,false,false,false,false,false,false,false
+entro,none,false,false,false,false,false,false,false
+envoyproxy_otel,none,false,false,false,false,false,false,false
+ess_billing,none,false,false,false,false,false,false,false
+etcd,none,false,false,false,false,false,false,false
+etcd_otel,none,false,false,false,false,false,false,false
+filelog_otel,none,false,false,false,false,false,false,false
+filestream,none,false,false,false,false,false,false,false
+first_epss,none,false,false,false,false,false,false,false
+fleet_server,none,false,false,false,false,false,false,false
+forescout,none,false,false,false,false,false,false,false
+gcp_audit_otel,none,false,false,false,false,false,false,false
+gcp_metrics,none,false,false,false,false,false,false,false
+gcp_pubsub,none,false,false,false,false,false,false,false
+gcp_vpcflow_otel,none,false,false,false,false,false,false,false
+golang,none,false,false,false,false,false,false,false
+google_cloud_storage,none,false,false,false,false,false,false,false
+grafana,none,false,false,false,false,false,false,false
+hadoop,none,false,false,false,false,false,false,false
+haproxy_otel,none,false,false,false,false,false,false,false
+hashicorp_vault,none,false,false,false,false,false,false,false
+hostmetrics_input_otel,none,false,false,false,false,false,false,false
+hta,none,false,false,false,false,false,false,false
+http_endpoint,none,false,false,false,false,false,false,false
+httpcheck_otel,none,false,false,false,false,false,false,false
+httpjson,none,false,false,false,false,false,false,false
+ibm_qradar,none,false,false,false,false,false,false,false
+ibmmq_otel,none,false,false,false,false,false,false,false
+iis_input_otel,none,false,false,false,false,false,false,false
+iis_otel,none,false,false,false,false,false,false,false
+influxdb,none,false,false,false,false,false,false,false
+influxdb_otel,none,false,false,false,false,false,false,false
+infoblox_nios,none,false,false,false,false,false,false,false
+ironscales,none,false,false,false,false,false,false,false
+jaeger_input_otel,none,false,false,false,false,false,false,false
+jolokia_input,none,false,false,false,false,false,false,false
+journald,none,false,false,false,false,false,false,false
+jupiter_one,none,false,false,false,false,false,false,false
+kafka,none,false,false,false,false,false,false,false
+kafka_connect,none,false,false,false,false,false,false,false
+kafka_input_otel,none,false,false,false,false,false,false,false
+kafka_log,none,false,false,false,false,false,false,false
+kafka_otel,none,false,false,false,false,false,false,false
+keeper_security_siem_integration,none,false,false,false,false,false,false,false
+kibana,none,false,false,false,false,false,false,false
+kubeletstats_input_otel,none,false,false,false,false,false,false,false
+kubernetes_otel,none,false,false,false,false,false,false,false
+lastpass,none,false,false,false,false,false,false,false
+linux,none,false,false,false,false,false,false,false
+lmd,none,false,false,false,false,false,false,false
+log,none,false,false,false,false,false,false,false
+logstash,none,false,false,false,false,false,false,false
+lyve_cloud,none,false,false,false,false,false,false,false
+memcached,none,false,false,false,false,false,false,false
+memcached_otel,none,false,false,false,false,false,false,false
+microsoft_defender_endpoint,none,false,false,false,false,false,false,false
+microsoft_dhcp,none,false,false,false,false,false,false,false
+microsoft_sqlserver_otel,none,false,false,false,false,false,false,false
+miniflux,none,false,false,false,false,false,false,false
+mongodb_otel,none,false,false,false,false,false,false,false
+mysql,none,false,false,false,false,false,false,false
+mysql_input_otel,none,false,false,false,false,false,false,false
+mysql_otel,none,false,false,false,false,false,false,false
+nagios_xi,none,false,false,false,false,false,false,false
+nats,none,false,false,false,false,false,false,false
+neon_cyber,none,false,false,false,false,false,false,false
+netbox,none,false,false,false,false,false,false,false
+nextron_thor,none,false,false,false,false,false,false,false
+nginx_ingress_controller_otel,none,false,false,false,false,false,false,false
+nginx_input_otel,none,false,false,false,false,false,false,false
+nginx_otel,none,false,false,false,false,false,false,false
+nvidia_gpu,none,false,false,false,false,false,false,false
+nvidia_gpu_otel,none,false,false,false,false,false,false,false
+o365_metrics,none,false,false,false,false,false,false,false
+openai,none,false,false,false,false,false,false,false
+oracle,none,false,false,false,false,false,false,false
+oracle_otel,none,false,false,false,false,false,false,false
+oracle_weblogic,none,false,false,false,false,false,false,false
+osquery,none,false,false,false,false,false,false,false
+osquery_manager,none,false,false,false,false,false,false,false
+otel_android_dashboards,none,false,false,false,false,false,false,false
+otel_collector_internal_telemetry,none,false,false,false,false,false,false,false
+otel_rum_dashboards,none,false,false,false,false,false,false,false
+otlp_input_otel,none,false,false,false,false,false,false,false
+pad,none,false,false,false,false,false,false,false
+panw_metrics,none,false,false,false,false,false,false,false
+php_fpm,none,false,false,false,false,false,false,false
+ping_one,none,false,false,false,false,false,false,false
+platform_observability,none,false,false,false,false,false,false,false
+postgresql,none,false,false,false,false,false,false,false
+postgresql_otel,none,false,false,false,false,false,false,false
+problemchild,none,false,false,false,false,false,false,false
+profiling_otel,none,false,false,false,false,false,false,false
+profilingmetrics_otel,none,false,false,false,false,false,false,false
+prometheus,none,false,false,false,false,false,false,false
+prometheus_input,none,false,false,false,false,false,false,false
+prometheus_input_otel,none,false,false,false,false,false,false,false
+prometheus_input_otel_raw,none,false,false,false,false,false,false,false
+proxysg,none,false,false,false,false,false,false,false
+pulse_connect_secure,none,false,false,false,false,false,false,false
+qualys_gav,none,false,false,false,false,false,false,false
+qualys_vmdr,none,false,false,false,false,false,false,false
+qualys_was,none,false,false,false,false,false,false,false
+rabbitmq,none,false,false,false,false,false,false,false
+rabbitmq_otel,none,false,false,false,false,false,false,false
+rapid7_insightvm,none,false,false,false,false,false,false,false
+redis,none,false,false,false,false,false,false,false
+redis_input_otel,none,false,false,false,false,false,false,false
+redis_otel,none,false,false,false,false,false,false,false
+redisenterprise,none,false,false,false,false,false,false,false
+redisenterprise_otel,none,false,false,false,false,false,false,false
+salesforce,none,false,false,false,false,false,false,false
+security_ai_prompts,none,false,false,false,false,false,false,false
+security_detection_engine,none,false,false,false,false,false,false,false
+servicenow,none,false,false,false,false,false,false,false
+sql_input,none,false,false,false,false,false,false,false
+sql_server_input_otel,none,false,false,false,false,false,false,false
+stan,none,false,false,false,false,false,false,false
+statsd_input,none,false,false,false,false,false,false,false
+statsd_input_otel,none,false,false,false,false,false,false,false
+synthetics,none,false,false,false,false,false,false,false
+synthetics_dashboards,none,false,false,false,false,false,false,false
+syslog_router,none,false,false,false,false,false,false,false
+system_audit,none,false,false,false,false,false,false,false
+system_otel,none,false,false,false,false,false,false,false
+tcp,none,false,false,false,false,false,false,false
+tenable_sc,none,false,false,false,false,false,false,false
+tetragon,none,false,false,false,false,false,false,false
+threat_map,none,false,false,false,false,false,false,false
+thycotic_ss,none,false,false,false,false,false,false,false
+ti_abusech,none,false,false,false,false,false,false,false
+ti_anomali,none,false,false,false,false,false,false,false
+ti_anyrun,none,false,false,false,false,false,false,false
+ti_cif3,none,false,false,false,false,false,false,false
+ti_custom,none,false,false,false,false,false,false,false
+ti_cybersixgill,none,false,false,false,false,false,false,false
+ti_domaintools,none,false,false,false,false,false,false,false
+ti_eclecticiq,none,false,false,false,false,false,false,false
+ti_eset,none,false,false,false,false,false,false,false
+ti_flashpoint,none,false,false,false,false,false,false,false
+ti_google_threat_intelligence,none,false,false,false,false,false,false,false
+ti_greynoise,none,false,false,false,false,false,false,false
+ti_maltiverse,none,false,false,false,false,false,false,false
+ti_mandiant_advantage,none,false,false,false,false,false,false,false
+ti_misp,none,false,false,false,false,false,false,false
+ti_rapid7_threat_command,none,false,false,false,false,false,false,false
+ti_strider,none,false,false,false,false,false,false,false
+ti_util,none,false,false,false,false,false,false,false
+tines,none,false,false,false,false,false,false,false
+traefik_otel,none,false,false,false,false,false,false,false
+udp,none,false,false,false,false,false,false,false
+unifiedlogs,none,false,false,false,false,false,false,false
+universal_profiling_agent,none,false,false,false,false,false,false,false
+universal_profiling_collector,none,false,false,false,false,false,false,false
+universal_profiling_symbolizer,none,false,false,false,false,false,false,false
+varonis,none,false,false,false,false,false,false,false
+vsphere_otel,none,false,false,false,false,false,false,false
+websocket,none,false,false,false,false,false,false,false
+websphere_application_server,none,false,false,false,false,false,false,false
+windows_etw,none,false,false,false,false,false,false,false
+wmi,none,false,false,false,false,false,false,false
+zeronetworks,none,false,false,false,false,false,false,false
+zipkin_input_otel,none,false,false,false,false,false,false,false
+zookeeper,none,false,false,false,false,false,false,false
+zookeeper_otel,none,false,false,false,false,false,false,false
+abnormal_security,strong_candidate,false,true,false,false,false,false,true
+apache,strong_candidate,false,true,true,false,false,false,false
+apache_tomcat,strong_candidate,false,false,true,true,false,false,false
+arista_ngfw,strong_candidate,false,true,true,false,false,false,false
+azure,strong_candidate,false,true,true,true,true,true,true
+barracuda_cloudgen_firewall,strong_candidate,false,true,true,false,false,true,true
+beyondtrust_pra,strong_candidate,false,true,true,true,false,false,false
+bitwarden,strong_candidate,false,false,false,true,false,false,false
+carbon_black_cloud,strong_candidate,false,true,true,false,false,true,false
+cef,strong_candidate,false,true,true,true,false,true,false
+checkpoint,strong_candidate,false,true,true,true,false,true,true
+checkpoint_email,strong_candidate,false,true,false,true,false,false,false
+cisco_asa,strong_candidate,false,true,true,true,false,true,false
+cisco_ftd,strong_candidate,false,true,true,true,false,false,false
+cisco_ios,strong_candidate,false,true,true,true,false,false,false
+cisco_umbrella,strong_candidate,false,true,true,false,false,false,false
+citrix_adc,strong_candidate,false,true,true,true,false,false,false
+claroty_ctd,strong_candidate,false,true,true,false,true,false,false
+claroty_xdome,strong_candidate,false,false,true,true,false,false,false
+cloudflare_logpush,strong_candidate,false,true,true,false,false,false,false
+cyberark_pta,strong_candidate,false,true,false,true,false,false,false
+f5_bigip,strong_candidate,false,true,true,true,false,false,false
+falco,strong_candidate,false,true,true,false,false,false,false
+fireeye,strong_candidate,false,true,true,false,false,false,false
+fortinet_fortigate,strong_candidate,false,true,true,true,false,true,true
+fortinet_fortimail,strong_candidate,false,false,true,true,false,false,true
+gcp_vertexai,strong_candidate,false,false,false,true,false,false,true
+google_scc,strong_candidate,false,false,true,true,false,true,true
+google_secops,strong_candidate,false,true,true,true,false,true,false
+haproxy,strong_candidate,false,true,true,false,false,false,false
+iis,strong_candidate,false,true,true,false,false,false,false
+imperva,strong_candidate,false,true,true,false,false,false,false
+infoblox_threat_defense,strong_candidate,false,false,true,true,false,false,false
+istio,strong_candidate,false,true,true,false,false,false,false
+jamf_protect,strong_candidate,false,true,true,false,false,false,true
+jumpcloud,strong_candidate,false,true,true,true,false,false,false
+juniper_srx,strong_candidate,false,true,true,true,false,false,true
+m365_defender,strong_candidate,false,true,true,true,false,true,true
+microsoft_exchange_online_message_trace,strong_candidate,false,true,true,true,false,false,false
+microsoft_intune,strong_candidate,false,true,false,false,false,true,true
+nginx,strong_candidate,false,true,true,false,false,false,false
+nginx_ingress_controller,strong_candidate,false,true,true,false,false,false,false
+nozomi_networks,strong_candidate,false,true,true,false,false,false,false
+opencanary,strong_candidate,false,true,true,false,false,false,false
+panw,strong_candidate,false,true,true,true,false,false,true
+pfsense,strong_candidate,false,true,true,false,false,false,false
+ping_federate,strong_candidate,false,true,false,false,false,false,false
+prisma_access,strong_candidate,false,true,true,true,false,false,true
+proofpoint_on_demand,strong_candidate,false,false,false,true,false,false,false
+sentinel_one_cloud_funnel,strong_candidate,false,true,true,false,false,false,false
+sonicwall_firewall,strong_candidate,false,true,true,false,false,false,false
+sophos,strong_candidate,false,true,true,true,false,true,false
+sophos_central,strong_candidate,false,false,true,true,false,false,true
+splunk,strong_candidate,false,false,true,true,false,false,false
+spring_boot,strong_candidate,false,false,false,true,false,false,false
+spycloud,strong_candidate,false,true,false,false,false,true,false
+squid,strong_candidate,false,false,true,true,false,false,false
+stormshield,strong_candidate,false,true,true,false,false,false,false
+sublime_security,strong_candidate,false,true,false,true,false,false,true
+suricata,strong_candidate,false,true,true,false,false,true,true
+swimlane,strong_candidate,false,true,false,true,false,true,false
+symantec_endpoint,strong_candidate,false,true,true,false,false,false,false
+sysmon_linux,strong_candidate,false,true,true,false,false,false,true
+teleport,strong_candidate,false,true,true,false,false,true,true
+traefik,strong_candidate,false,true,true,false,false,false,false
+trellix_epo_cloud,strong_candidate,false,true,true,true,false,true,false
+trendmicro,strong_candidate,false,true,true,true,false,true,true
+tychon,strong_candidate,false,true,true,false,false,true,false
+watchguard_firebox,strong_candidate,false,true,true,true,false,true,false
+zscaler_zia,strong_candidate,false,true,true,false,false,false,false
diff --git a/dev/target-fields-audit/out/target_enhancement_report.md b/dev/target-fields-audit/out/target_enhancement_report.md
new file mode 100644
index 00000000000..83b7f47b298
--- /dev/null
+++ b/dev/target-fields-audit/out/target_enhancement_report.md
@@ -0,0 +1,70 @@
+# ECS target semantics — enhancement opportunity report
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-20T08:56:40Z
+- **packages scanned:** 445
+
+- **audit CSV used:** `dev/target-fields-audit/out/target_fields_audit.csv` (Tier A ECS `*.target.*` packages: 29)
+
+## What this report is (and is not)
+
+**Is:** A static, heuristic pass over this repository only — ingest pipeline YAML,
+pipeline `*expected.json` fixtures (truncated for very large files), and `docs/**/*.md`.
+Signals are meant to suggest where vendor logs *might* describe a second party
+(user/host/service/resource) that could be modeled as ECS **target** fields or
+**`entity.target.*`** when classification is unclear.
+
+**Is not:** Log volume, production field population, or vendor API guarantees.
+Each row still needs product/security review before changing mappings.
+
+## Method — signal definitions
+
+| Signal | Meaning |
+| --- | --- |
+| `pipeline_dest_identity` | Pipeline references `destination.user`, `destination.host`, `destination.domain`, etc. |
+| `pipeline_dest_network` | Pipeline references `destination.ip`, `destination.address`, ports/geo/bytes (common in flow logs). |
+| `pipeline_actor` | `principal`, `victim`, `impersonat`, `protoPayload.authentication`, `source.user`, etc. (not `related.*`) |
+| `pipeline_entity_other` | `entity.id` / `entity.name` / `entity.type` (not already `entity.target.*`). |
+| `fixture_strong` | Pipeline expected JSON contains destination identity, ECS `*.target.*`, or JSON keys containing `target`. |
+| `docs_lexicon` | Docs mention “target user/host”, “affected user”, “principal”, “victim”, etc. |
+
+## Priority labels (per package)
+
+| Label | Rule |
+| --- | --- |
+| `already_maps_ecs_target` | Listed with Tier A hits for `host|user|service|entity.target.*` in the audit CSV. |
+| `strong_candidate` | Not already mapped **and** (`pipeline_dest_identity` **or** `pipeline_actor`). |
+| `moderate_candidate` | Not stronger **and** (`fixture_strong` **or** `pipeline_entity_other`). |
+| `moderate_candidate_network_dest` | Not stronger **and** only `pipeline_dest_network` among pipeline/fixture signals. |
+| `exploratory_docs` | Not above **and** `docs_lexicon` only. |
+| `none` | No heuristic signal. |
+
+## Counts
+
+| Priority | Packages | Share of scanned |
+| --- | ---: | ---: |
+| Already maps ECS target (Tier A audit) | 29 | 6.5% |
+| **Strong enhancement candidate** | 70 | 15.7% |
+| Moderate (fixtures / generic entity) | 52 | 11.7% |
+| Moderate (network `destination.*` only) | 45 | 10.1% |
+| Exploratory (documentation phrasing only) | 10 | 2.2% |
+| No signal | 239 | 53.7% |
+
+### Interpretation
+
+- **Already using ECS target fields in pipelines (audit):** 29 / 445 packages.
+- **Packages we would revisit first for new target mappings:** **70** strong candidates.
+- **Broader backlog (includes weaker / noisier signals):** **177** packages (strong + moderate + moderate_network_only + exploratory), i.e. anything not `none` and not already mapped.
+- If you only trust identity/actor-style pipeline evidence, focus on the **70** strong bucket first, then selectively pull from **52** moderate cases after reviewing fixtures.
+
+**Note:** `strong_candidate` is an **upper bound**. Some regex matches (e.g. `destination.host` in pure flow telemetry) reflect common ECS patterns without always implying a distinct “target” entity for SIEM. Use [`target_enhancement_packages.csv`](target_enhancement_packages.csv) to triage by toggling signals off in a spreadsheet filter.
+
+## Machine-readable output
+
+- Per-package flags: [`target_enhancement_packages.csv`](target_enhancement_packages.csv)
+
+## Follow-ups (not automated here)
+
+- Vendor-specific field dictionaries (OCSF, ASIM, raw vendor `target*`) → ECS mapping tables.
+- Runtime sampling / simulate ingest to confirm population rates.
+- When entity type is unknown, map remaining attributes to **`entity.target.*`** per your placeholder rule.
diff --git a/dev/target-fields-audit/out/target_fields_audit.csv b/dev/target-fields-audit/out/target_fields_audit.csv
new file mode 100644
index 00000000000..a6a09c4ddd9
--- /dev/null
+++ b/dev/target-fields-audit/out/target_fields_audit.csv
@@ -0,0 +1,1827 @@
+tier,package,data_stream,file,line,matched_prefix,snippet
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,159,user.target.,field: user.target.domain
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,164,user.target.,field: user.target.email
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,175,user.target.,field: user.target.full_name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,191,user.target.,field: user.target.group.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,201,user.target.,field: user.target.group.name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,206,user.target.,field: user.target.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,217,user.target.,field: user.target.name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,6,user.target.,field: user.target.domain
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,11,user.target.,field: user.target.email
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,22,user.target.,field: user.target.full_name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,38,user.target.,field: user.target.group.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,48,user.target.,field: user.target.group.name
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,53,user.target.,field: user.target.id
+A,amazon_security_lake,event,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,64,user.target.,field: user.target.name
+C,amazon_security_lake,,packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json,7,user.target.,"""panelsJSON"": ""{\""7074e9a5-6114-4da7-bcda-8104441487c1\"":{\""type\"":\""optionsListControl\"",\""order\"":0,\""grow\"":true,\""width\"":\""medium\"",\""explicitInput\"":{\""id\"":\""7074e9a5-6114-4da7-bcda-8104441487c1\"",\""fieldName\"":\""user.target.name\..."
+C,amazon_security_lake,,packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json,2126,user.target.,"""sourceField"": ""user.target.name"""
+C,amazon_security_lake,,packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json,2734,user.target.,"""sourceField"": ""user.target.name"""
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,381,user.target.,"ctx.user.target.put(""group"", map);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,391,user.target.,"ctx.user.target.group.put(""name"", ctx.bitbucket?.audit?.affected_objects[j]?.name);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,392,user.target.,"ctx.user.target.group.put(""id"", ctx.bitbucket?.audit?.affected_objects[j]?.id);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,397,user.target.,"ctx.user.target.put(""name"", ctx.bitbucket?.audit?.affected_objects[j]?.name);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,398,user.target.,"ctx.user.target.put(""id"", ctx.bitbucket?.audit?.affected_objects[j]?.id);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,408,user.target.,"ctx.user.target.put(""name"", ctx.bitbucket?.audit?.changed_values[j]?.from);"
+A,atlassian_bitbucket,audit,packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,420,user.target.,value: '{{{user.target.name}}}'
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,320,user.target.,"ctx.user.target.put(""group"", map);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,339,user.target.,"ctx.user.target.group.put(""name"", group_name);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,340,user.target.,"ctx.user.target.group.put(""id"", group_id);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,345,user.target.,"ctx.user.target.put(""full_name"", ctx.confluence?.audit?.affected_objects[j]?.name);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,346,user.target.,"ctx.user.target.put(""id"", ctx.confluence?.audit?.affected_objects[j]?.id);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,350,user.target.,"ctx.user.target.put(""name"", m.group(1));"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,355,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.affected_objects[j]?.name);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,356,user.target.,"ctx.user.target.put(""id"", ctx.confluence?.audit?.affected_objects[j]?.id);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,376,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,382,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.changed_values[j]?.to);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,384,user.target.,"ctx.user.target.put(""name"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,389,user.target.,"ctx.user.target.put(""email"", ctx.confluence?.audit?.changed_values[j]?.to);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,391,user.target.,"ctx.user.target.put(""email"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,396,user.target.,"ctx.user.target.put(""full_name"", ctx.confluence?.audit?.changed_values[j]?.to);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,398,user.target.,"ctx.user.target.put(""full_name"", ctx.confluence?.audit?.changed_values[j]?.from);"
+A,atlassian_confluence,audit,packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,411,user.target.,value: '{{{user.target.name}}}'
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,360,user.target.,"ctx.user.target.put(""group"", map);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,369,user.target.,"ctx.user.target.group.put(""name"", ctx.jira?.audit?.affected_objects[j]?.name);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,370,user.target.,"ctx.user.target.group.put(""id"", ctx.jira?.audit?.affected_objects[j]?.id);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,375,user.target.,"ctx.user.target.put(""name"", ctx.jira?.audit?.affected_objects[j]?.name);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,376,user.target.,"ctx.user.target.put(""id"", ctx.jira?.audit?.affected_objects[j]?.id);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,386,user.target.,"ctx.user.target.put(""name"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,393,user.target.,"ctx.user.target.put(""name"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,399,user.target.,"ctx.user.target.put(""email"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,405,user.target.,"ctx.user.target.put(""full_name"", ctx.jira?.audit?.changed_values[j]?.from);"
+A,atlassian_jira,audit,packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,418,user.target.,value: '{{{user.target.name}}}'
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,84,user.target.,name: user.target.group.id
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,86,user.target.,name: user.target.group.name
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,88,user.target.,name: user.target.id
+B,auditd,log,packages/auditd/data_stream/log/fields/ecs.yml,90,user.target.,name: user.target.name
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,73,user.target.,- name: user.target.id
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,75,user.target.,- name: user.target.name
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,81,user.target.,- name: user.target.group.id
+B,auditd_manager,auditd,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,83,user.target.,- name: user.target.group.name
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,934,user.target.,"field(""user.target.entity.id"").set(userTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,937,host.target.,"field(""host.target.entity.id"").set(hostTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,941,service.target.,"field(""service.target.entity.id"").set(serviceTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,944,entity.target.,"field(""entity.target.id"").set(genericTargets);"
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1934,user.target.,field: user.target.id
+A,aws,cloudtrail,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1946,user.target.,field: user.target.name
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,entity.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,host.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,service.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+B,aws,cloudtrail,packages/aws/data_stream/cloudtrail/fields/fields.yml,205,user.target.,"description: ""[Deprecated] Legacy field containing all target entity identifiers. For type-specific entities, use user.target.entity.id, service.target.entity.id, host.target.entity.id, or entity.target.id instead."""
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,643,user.target.,field: user.target.full_name
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,648,user.target.,field: user.target.email
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,658,user.target.,field: user.target.name
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,662,user.target.,field: user.target.domain
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,667,user.target.,target_field: user.target.id
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,672,user.target.,value: '{{{user.target.email}}}'
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,673,user.target.,if: ctx.user?.target?.email != null && ctx.user.target.email != ''
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,677,user.target.,value: '{{{user.target.full_name}}}'
+A,box_events,events,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,678,user.target.,if: ctx.user?.target?.full_name != null && ctx.user.target.full_name != ''
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,938,user.target.,field: user.target.full_name
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,945,user.target.,value: '{{{user.target.full_name}}}'
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,954,user.target.,field: user.target.email
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,961,user.target.,value: '{{{user.target.email}}}'
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,970,user.target.,field: user.target.id
+A,canva,audit,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,977,user.target.,value: '{{{user.target.id}}}'
+C,canva,,packages/canva/kibana/dashboard/canva-062b09b1-072e-4582-bc50-61cfb47f4dc1.json,282,user.target.,"""sourceField"": ""user.target.id"""
+A,cisco_duo,admin,packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,147,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1635,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1663,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1668,user.target.,if: (ctx.user?.target?.name == null || ctx.user.target.name == '') && ctx.event?.action == 'SudoCommandAttempt'
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1669,user.target.,field: user.target.name
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1674,user.target.,field: user.target.id
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1680,user.target.,field: user.target.id
+A,crowdstrike,fdr,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1707,user.target.,value: '{{{user.target.name}}}'
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,545,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,561,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,577,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,592,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,637,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,654,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,669,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,684,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,695,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,706,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,717,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,728,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,739,user.target.,- set: user.target.name
+A,cyberarkpas,audit,packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/audit.yml,1114,user.target.,value: '{{{user.target.name}}}'
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,139,user.target.,name: user.target.group.id
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,141,user.target.,name: user.target.group.name
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,143,user.target.,name: user.target.id
+B,fim,event,packages/fim/data_stream/event/fields/ecs.yml,145,user.target.,name: user.target.name
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,308,host.target.,"addNestedValue(ctx, ""host.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,313,service.target.,"addNestedValue(ctx, ""service.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,319,user.target.,"addNestedValue(ctx, ""user.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,343,service.target.,"addNestedValue(ctx, ""service.target.entity.id"", target);"
+A,gcp,audit,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,347,entity.target.,"addNestedValue(ctx, ""entity.target.id"", target);"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,38,user.target.,"Use type-specific fields instead: user.target.entity.id for IAM principals,"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,39,host.target.,"service.target.entity.id for GCP service resources, host.target.entity.id"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,39,service.target.,"service.target.entity.id for GCP service resources, host.target.entity.id"
+B,gcp,audit,packages/gcp/data_stream/audit/fields/base-fields.yml,40,entity.target.,"for compute instances, or entity.target.id for other types."
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,94,user.target.,target_field: user.target.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,98,user.target.,"value: ""{{{user.target.name}}}"""
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,123,user.target.,field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,133,user.target.,field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,139,user.target.,target_field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,143,user.target.,target_field: user.target.group.name
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,258,user.target.,field: user.target.id
+A,github,audit,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,268,user.target.,field: user.target.id
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,37,user.target.,"""fieldName"": ""user.target.name"","
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,433,user.target.,"""field"": ""user.target.name"""
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,439,user.target.,"""key"": ""user.target.name"","
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,621,user.target.,"""field"": ""user.target.name"""
+C,github,,packages/github/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json,627,user.target.,"""key"": ""user.target.name"","
+C,github,,packages/github/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json,37,user.target.,"""fieldName"": ""user.target.name"","
+C,github,,packages/github/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json,5,user.target.,"""user.target.name"","
+C,github,,packages/github/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json,40,user.target.,"""field"": ""user.target.name"""
+C,github,,packages/github/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json,46,user.target.,"""key"": ""user.target.name"","
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1306,user.target.,ctx.user.target.name = splitmail[0];
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1307,user.target.,ctx.user.target.domain = splitmail[1];
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1308,user.target.,ctx.user.target.email = ctx.google_workspace.admin.user.email;
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1310,user.target.,field: user.target.group.name
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1314,user.target.,field: user.target.group.domain
+A,google_workspace,admin,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1357,user.target.,"value: ""{{{user.target.name}}}"""
+A,google_workspace,calendar,packages/google_workspace/data_stream/calendar/elasticsearch/ingest_pipeline/default.yml,410,user.target.,field: user.target.email
+A,google_workspace,calendar,packages/google_workspace/data_stream/calendar/elasticsearch/ingest_pipeline/default.yml,540,user.target.,field: user.target.email
+A,google_workspace,chat,packages/google_workspace/data_stream/chat/elasticsearch/ingest_pipeline/default.yml,378,user.target.,field: user.target.email
+A,google_workspace,data_studio,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,314,user.target.,field: user.target.domain
+A,google_workspace,data_studio,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,319,user.target.,field: user.target.email
+A,google_workspace,data_studio,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,332,user.target.,pattern: '%{user.target.name}@%{user.target.domain}'
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,296,user.target.,ctx.user.target.name = splitmail[0];
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,297,user.target.,ctx.user.target.domain = splitmail[1];
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,298,user.target.,ctx.user.target.email = ctx.google_workspace.groups.member.email;
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,300,user.target.,field: user.target.group.name
+A,google_workspace,groups,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,304,user.target.,field: user.target.group.domain
+A,google_workspace,login,packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml,284,user.target.,ctx.user.target.name = splitmail[0];
+A,google_workspace,login,packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml,285,user.target.,ctx.user.target.domain = splitmail[1];
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,948,user.target.,field: user.target.email
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,953,user.target.,field: user.target.name
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,955,user.target.,copy_from: user.target.email
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,958,user.target.,field: user.target.email
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,960,user.target.,if: ctx.user?.target?.email != null && ctx.user.target.email.contains('@')
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,961,user.target.,pattern: '%{}@%{user.target.domain}'
+A,google_workspace,meet,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,995,user.target.,value: '{{{user.target.email}}}'
+A,google_workspace,vault,packages/google_workspace/data_stream/vault/elasticsearch/ingest_pipeline/default.yml,460,user.target.,field: user.target.email
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,86,user.target.,name: user.target.group.domain
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,88,user.target.,name: user.target.group.id
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,90,user.target.,name: user.target.group.name
+B,hid_bravura_monitor,winlog,packages/hid_bravura_monitor/data_stream/winlog/fields/ecs.yml,92,user.target.,name: user.target.name
+A,hpe_aruba_cx,log,packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml,3030,service.target.,"- ""^(Starting update|Update successful) for %{DATA:aruba.system.devicespec} from version %{DATA:service.version} to version %{GREEDYDATA:service.target.version}"""
+B,hpe_aruba_cx,log,packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml,112,service.target.,name: service.target.version
+A,keycloak,log,packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml,159,user.target.,- 'users/%{UUID:user.target.id}'
+A,keycloak,log,packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml,231,user.target.,"value: ""{{{user.target.id}}}"""
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,127,user.target.,target_field: user.target.id
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,131,user.target.,target_field: user.target.name
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,135,user.target.,target_field: user.target.roles
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,138,user.target.,field: user.target.roles
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,143,user.target.,target_field: user.target.id
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,157,user.target.,target_field: user.target.id
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,347,user.target.,if (ctx.user.target.group == null) {
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,349,user.target.,"ctx.user.target.put(""group"", map);"
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,352,user.target.,if(ctx.user.target.name != ctx.mattermost?.audit?.patch?.name) {
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,359,user.target.,"ctx.user.target.group.put(""name"", ctx.mattermost?.audit?.team?.name);"
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,360,user.target.,"ctx.user.target.group.put(""id"", ctx.mattermost?.audit?.team?.id);"
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,379,user.target.,value: '{{{user.target.id}}}'
+A,mattermost,audit,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,383,user.target.,field: user.target.id
+C,mattermost,,packages/mattermost/kibana/dashboard/mattermost-55a753ac-7944-4a4e-ad5b-a7418b1a1543.json,652,user.target.,"""sourceField"": ""user.target.name"""
+A,microsoft_sqlserver,audit,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1227,user.target.,field: user.target.name
+A,microsoft_sqlserver,audit,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1230,user.target.,field: user.target.id
+A,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,153,user.target.,- '(?i)(?:CREATE|DROP)\s+USER(?:\s+IF\s+(?:NOT\s+)?EXISTS)?\s+(?:%{START_QUOTE}%{QUOTED:user.target.name}%{END_QUOTE}|%{UNQUOTED:user.target.name})(?:@(?:%{START_QUOTE}%{QUOTED:user.target.domain}%{END_QUOTE}|%{UNQUOTED:user.target.domai...
+A,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,215,user.target.,"value: ""{{{user.target.name}}}"""
+B,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/fields/ecs.yml,42,user.target.,name: user.target.name
+B,mysql_enterprise,audit,packages/mysql_enterprise/data_stream/audit/fields/ecs.yml,44,user.target.,name: user.target.domain
+A,netskope,alerts_events_v2,packages/netskope/data_stream/alerts_events_v2/elasticsearch/ingest_pipeline/pipeline_events_v2.yml,882,user.target.,field: user.target.email
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,682,user.target.,field: user.target.id
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1290,user.target.,target_field: user.target.id
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1413,user.target.,"String[] splitmail = ctx.user.target.id.splitOnToken(""@"");"
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1417,user.target.,ctx.user.target.email = ctx.user.target.id;
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1418,user.target.,ctx.user.target.domain = splitmail[1];
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1419,user.target.,ctx.user.target.name = splitmail[0];
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1475,user.target.,"value: ""{{{user.target.name}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2242,user.target.,"value: ""{{{user.target.id}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2248,user.target.,"value: ""{{{user.target.email}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2280,user.target.,"value: ""{{{user.target.domain}}}"""
+A,o365,audit,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,2282,user.target.,if: ctx.user?.target?.domain != null && ctx.user.target.domain != ctx.user?.domain
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,539,user.target.,field: user.target.full_name
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,543,user.target.,field: user.target.id
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,547,user.target.,field: user.target.email
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,551,user.target.,field: user.target.group.name
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,555,user.target.,field: user.target.group.id
+A,okta,system,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,595,user.target.,"value: ""{{{user.target.full_name}}}"""
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,273,host.target.,name: host.target.disk.read.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,275,host.target.,name: host.target.disk.write.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,277,host.target.,name: host.target.entity.last_seen_timestamp
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,279,host.target.,name: host.target.ip
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,281,host.target.,name: host.target.network.egress.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,283,host.target.,name: host.target.network.egress.packets
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,285,host.target.,name: host.target.network.ingress.bytes
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,287,host.target.,name: host.target.network.ingress.packets
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,289,host.target.,name: host.target.risk.calculated_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,291,host.target.,name: host.target.risk.calculated_score_norm
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,293,host.target.,name: host.target.risk.static_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,295,host.target.,name: host.target.risk.static_score_norm
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,297,host.target.,name: host.target.uptime
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,651,service.target.,name: service.target.entity.last_seen_timestamp
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,935,user.target.,name: user.target.entity.last_seen_timestamp
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,937,user.target.,name: user.target.risk.calculated_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,939,user.target.,name: user.target.risk.calculated_score_norm
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,941,user.target.,name: user.target.risk.static_score
+B,osquery_manager,result,packages/osquery_manager/data_stream/result/fields/ecs.yml,943,user.target.,name: user.target.risk.static_score_norm
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,586,user.target.,"""user.target.full_name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,587,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,627,user.target.,"""user.target.full_name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,628,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,668,user.target.,"""user.target.full_name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,669,user.target.,"""user.target.group.name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,711,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,751,user.target.,"""user.target.group.name"""
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,829,user.target.,"""user.target.group.name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,869,user.target.,"""user.target.group.name"","
+C,pad,,packages/pad/kibana/ml_module/pad-ml.json,909,user.target.,"""user.target.group.name"","
+A,qnap_nas,log,packages/qnap_nas/data_stream/log/elasticsearch/ingest_pipeline/default.yml,78,user.target.,"- '^\[Users\] %{USER_EVENTS} ""%{DATA:user.target.name}""\.$'"
+B,qnap_nas,log,packages/qnap_nas/data_stream/log/fields/ecs.yml,60,user.target.,name: user.target.name
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1270,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1275,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1280,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1285,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1290,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1295,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1300,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,1305,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2480,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2485,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2490,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2495,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2500,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2505,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2510,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2515,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2520,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2525,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2530,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2535,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2540,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2545,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2550,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2555,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2560,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2565,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2570,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2575,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2580,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2585,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2590,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2595,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2600,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2605,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2610,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2615,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2620,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2625,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2630,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2635,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2640,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2645,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2650,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2655,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2660,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2665,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2670,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2675,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2680,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2685,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2690,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2695,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2700,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2705,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2710,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2715,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2720,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,2725,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5625,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5630,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5635,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5640,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5645,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5650,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5655,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5660,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5665,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5670,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5675,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5680,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5685,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5690,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5695,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5700,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5705,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5710,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,5715,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7790,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7795,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7800,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7805,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7810,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7815,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7820,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7825,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7830,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7835,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7840,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7845,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7850,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7855,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7860,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7865,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7870,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7875,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7880,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7885,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7890,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7895,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7900,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_106.json,7905,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1260,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1265,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1270,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1275,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1280,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1285,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1290,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,1295,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2470,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2475,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2480,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2485,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2490,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2495,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2500,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2505,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2510,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2515,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2520,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2525,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2530,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2535,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2540,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2545,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2550,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2555,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2560,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2565,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2570,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2575,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2580,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2585,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2590,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2595,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2600,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2605,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2610,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2615,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2620,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2625,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2630,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2635,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2640,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2645,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2650,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2655,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2660,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2665,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2670,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2675,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2680,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2685,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2690,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2695,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2700,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2705,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2710,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,2715,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5615,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5620,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5625,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5630,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5635,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5640,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5645,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5650,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5655,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5660,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5665,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5670,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5675,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5680,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5685,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5690,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5695,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5700,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,5705,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7780,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7785,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7790,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7795,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7800,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7805,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7810,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7815,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7820,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7825,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7830,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7835,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7840,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7845,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7850,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7855,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7860,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7865,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7870,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7875,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7880,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7885,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7890,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6_107.json,7895,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_118.json,14,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use o..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_119.json,14,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use o..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_120.json,14,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use o..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1285,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1290,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1295,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1300,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1305,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1310,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1315,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,1320,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2530,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2535,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2540,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2545,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2550,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2555,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2560,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2565,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2570,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2575,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2580,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2585,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2590,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2595,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2600,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2605,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2610,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2615,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2620,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2625,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2630,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2635,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2640,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2645,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2650,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2655,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2660,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2665,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2670,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2675,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2680,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2685,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2690,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2695,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2700,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2705,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2710,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2715,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2720,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2725,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2730,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2735,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2740,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2745,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2750,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2755,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2760,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2765,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2770,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,2775,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6365,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6370,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6375,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6380,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6385,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6390,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6395,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6400,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6405,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6410,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6415,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6420,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6425,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6430,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6435,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6440,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6445,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6450,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,6455,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8560,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8565,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8570,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8575,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8580,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8585,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8590,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8595,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8600,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8605,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8610,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8615,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8620,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8625,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8630,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8635,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8640,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8645,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8650,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8655,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8660,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8665,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8670,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/32f95776-6498-4f3c-a90c-d4f6083e3901_104.json,8675,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_213.json,24,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_214.json,24,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_215.json,24,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2915,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2920,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2925,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2930,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2935,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2940,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2945,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2950,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2955,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,2960,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4380,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4385,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4390,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4395,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4400,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4405,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4410,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4415,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4420,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4425,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4430,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4435,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4440,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4445,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4450,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4455,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4460,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4465,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4470,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4475,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4480,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4485,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4490,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4495,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4500,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4505,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4510,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4515,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4520,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4525,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4530,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4535,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4540,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4545,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4550,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4555,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4560,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4565,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4570,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4575,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4580,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4585,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4590,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4595,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4600,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4605,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4610,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4615,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4620,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4625,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4630,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4635,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4640,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,4645,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8960,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8965,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8970,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8975,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8980,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8985,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8990,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,8995,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9000,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9005,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9010,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9015,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9020,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9025,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9030,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9035,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9040,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9045,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9050,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9055,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,9060,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11435,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11440,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11445,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11450,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11455,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11460,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11465,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11470,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11475,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11480,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11485,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11490,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11495,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11500,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11505,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11510,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11515,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11520,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11525,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11530,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11535,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11540,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11545,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11550,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11555,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11560,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11565,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_1.json,11570,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2910,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2915,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2920,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2925,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2930,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2935,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2940,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2945,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2950,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,2955,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4375,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4380,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4385,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4390,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4395,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4400,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4405,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4410,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4415,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4420,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4425,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4430,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4435,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4440,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4445,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4450,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4455,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4460,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4465,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4470,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4475,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4480,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4485,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4490,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4495,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4500,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4505,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4510,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4515,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4520,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4525,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4530,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4535,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4540,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4545,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4550,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4555,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4560,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4565,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4570,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4575,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4580,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4585,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4590,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4595,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4600,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4605,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4610,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4615,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4620,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4625,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4630,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4635,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,4640,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8955,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8960,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8965,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8970,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8975,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8980,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8985,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8990,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,8995,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9000,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9005,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9010,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9015,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9020,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9025,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9030,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9035,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9040,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9045,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9050,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,9055,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11430,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11435,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11440,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11445,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11450,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11455,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11460,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11465,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11470,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11475,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11480,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11485,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11490,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11495,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11500,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11505,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11510,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11515,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11520,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11525,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11530,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11535,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11540,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11545,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11550,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11555,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11560,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/344e6c7d-ceb0-4f20-ba04-7c75569a7e38_2.json,11565,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles ca..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,20,user.target.,"""query"": ""iam where event.dataset == \""google_workspace.admin\"" and event.action == \""ADD_GROUP_MEMBER\"" and\n  not endsWith(user.target.email, user.target.group.domain)\n"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,45,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_5.json,50,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles ca..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,20,user.target.,"""query"": ""iam where event.dataset == \""google_workspace.admin\"" and event.action == \""ADD_GROUP_MEMBER\"" and\n  not endsWith(user.target.email, user.target.group.domain)\n"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,45,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_6.json,50,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles ca..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,20,user.target.,"""query"": ""iam where data_stream.dataset == \""google_workspace.admin\"" and event.action == \""ADD_GROUP_MEMBER\"" and\n  not endsWith(user.target.email, user.target.group.domain)\n"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,45,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_7.json,50,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_209.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the pri..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_210.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the pri..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_211.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the pri..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_11.json,20,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_11.json,33,user.target.,"""query"": ""from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where event.dataset == \""aws.cloudtrail\""\n    and event.provider == \""iam.amazonaws.com\""\n    and event.action == \""CreateAccessKey\""\n    and event.outcome == \""su..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_11.json,199,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_12.json,20,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_12.json,33,user.target.,"""query"": ""from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where event.dataset == \""aws.cloudtrail\""\n    and event.provider == \""iam.amazonaws.com\""\n    and event.action == \""CreateAccessKey\""\n    and event.outcome == \""su..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_12.json,199,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json,20,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json,33,user.target.,"""query"": ""from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where data_stream.dataset == \""aws.cloudtrail\""\n    and event.provider == \""iam.amazonaws.com\""\n    and event.action == \""CreateAccessKey\""\n    and event.outcome =..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_13.json,199,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1242,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1247,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1252,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1257,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1262,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1267,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1272,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,1277,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2472,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2477,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2482,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2487,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2492,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2497,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2502,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2507,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2512,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2517,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2522,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2527,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2532,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2537,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2542,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2547,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2552,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2557,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2562,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2567,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2572,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2577,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2582,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2587,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2592,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2597,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2602,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2607,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2612,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2617,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2622,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2627,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2632,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2637,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2642,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2647,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2652,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2657,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2662,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2667,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2672,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2677,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2682,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2687,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2692,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2697,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2702,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2707,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2712,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,2717,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6152,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6157,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6162,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6167,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6172,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6177,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6182,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6187,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6192,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6197,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6202,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6207,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6212,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6217,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6222,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6227,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6232,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6237,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,6242,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8332,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8337,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8342,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8347,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8352,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8357,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8362,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8367,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8372,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8377,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8382,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8387,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8392,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8397,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8402,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8407,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8412,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8417,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8422,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8427,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8432,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8437,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8442,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61_1.json,8447,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_213.json,14,user.target.,"""note"": ""## Triage and Analysis\n\n### Investigating M365 Identity Global Administrator Role Assigned\n\nThe Microsoft 365 Global Administrator role grants comprehensive administrative access across Entra ID and services such as Microsof..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_214.json,14,user.target.,"""note"": ""## Triage and Analysis\n\n### Investigating M365 Identity Global Administrator Role Assigned\n\nThe Microsoft 365 Global Administrator role grants comprehensive administrative access across Entra ID and services such as Microsof..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_215.json,14,user.target.,"""note"": ""## Triage and Analysis\n\n### Investigating M365 Identity Global Administrator Role Assigned\n\nThe Microsoft 365 Global Administrator role grants comprehensive administrative access across Entra ID and services such as Microsof..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_10.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_8.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_9.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_2.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_3.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_4.json,25,user.target.,"""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,6,entity.target.,"""description"": ""Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role...."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,25,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,39,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_315.json,41,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,6,entity.target.,"""description"": ""Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role...."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,25,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,39,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_316.json,41,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,6,entity.target.,"""description"": ""Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role...."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,25,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,39,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_317.json,41,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1238,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1243,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1248,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1253,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1258,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1263,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1268,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,1273,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2433,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2438,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2443,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2448,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2453,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2458,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2463,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2468,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2473,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2478,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2483,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2488,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2493,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2498,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2503,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2508,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2513,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2518,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2523,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2528,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2533,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2538,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2543,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2548,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2553,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2558,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2563,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2568,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2573,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2578,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2583,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2588,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2593,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2598,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2603,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2608,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2613,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2618,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2623,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2628,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2633,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2638,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2643,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2648,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2653,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2658,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2663,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2668,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2673,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,2678,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5508,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5513,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5518,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5523,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5528,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5533,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5538,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5543,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5548,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5553,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5558,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5563,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5568,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5573,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5578,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5583,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5588,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5593,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,5598,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7658,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7663,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7668,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7673,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7678,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7683,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7688,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7693,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7698,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7703,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7708,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7713,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7718,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7723,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7728,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7733,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7738,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7743,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7748,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7753,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7758,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7763,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7768,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_1.json,7773,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1238,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1243,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1248,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1253,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1258,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1263,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1268,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,1273,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2433,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2438,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2443,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2448,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2453,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2458,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2463,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2468,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2473,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2478,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2483,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2488,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2493,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2498,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2503,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2508,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2513,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2518,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2523,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2528,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2533,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2538,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2543,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2548,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2553,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2558,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2563,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2568,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2573,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2578,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2583,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2588,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2593,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2598,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2603,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2608,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2613,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2618,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2623,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2628,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2633,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2638,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2643,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2648,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2653,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2658,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2663,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2668,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2673,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,2678,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5508,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5513,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5518,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5523,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5528,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5533,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5538,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5543,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5548,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5553,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5558,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5563,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5568,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5573,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5578,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5583,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5588,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5593,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,5598,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7658,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7663,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7668,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7673,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7678,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7683,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7688,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7693,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7698,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7703,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7708,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7713,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7718,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7723,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7728,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7733,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7738,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7743,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7748,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7753,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7758,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7763,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7768,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/a6129187-c47b-48ab-a412-67a44836d918_2.json,7773,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_109.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_110.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_111.json,19,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_417.json,18,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_418.json,18,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_419.json,18,user.target.,"""note"": ""## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for ..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2911,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2916,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2921,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2926,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2931,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2936,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2941,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2946,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2951,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,2956,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4381,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4386,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4391,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4396,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4401,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4406,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4411,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4416,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4421,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4426,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4431,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4436,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4441,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4446,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4451,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4456,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4461,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4466,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4471,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4476,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4481,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4486,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4491,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4496,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4501,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4506,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4511,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4516,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4521,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4526,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4531,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4536,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4541,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4546,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4551,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4556,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4561,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4566,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4571,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4576,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4581,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4586,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4591,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4596,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4601,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4606,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4611,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4616,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4621,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4626,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4631,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4636,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4641,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,4646,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8966,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8971,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8976,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8981,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8986,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8991,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,8996,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9001,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9006,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9011,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9016,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9021,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9026,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9031,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9036,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9041,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9046,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9051,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9056,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9061,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,9066,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11441,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11446,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11451,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11456,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11461,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11466,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11471,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11476,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11481,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11486,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11491,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11496,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11501,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11506,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11511,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11516,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11521,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11526,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11531,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11536,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11541,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11546,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11551,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11556,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11561,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11566,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11571,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_1.json,11576,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2906,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2911,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2916,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2921,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2926,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2931,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2936,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2941,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2946,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,2951,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4376,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4381,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4386,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4391,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4396,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4401,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4406,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4411,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4416,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4421,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4426,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4431,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4436,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4441,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4446,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4451,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4456,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4461,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4466,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4471,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4476,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4481,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4486,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4491,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4496,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4501,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4506,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4511,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4516,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4521,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4526,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4531,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4536,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4541,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4546,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4551,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4556,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4561,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4566,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4571,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4576,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4581,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4586,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4591,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4596,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4601,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4606,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4611,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4616,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4621,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4626,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4631,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4636,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,4641,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8961,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8966,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8971,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8976,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8981,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8986,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8991,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,8996,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9001,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9006,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9011,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9016,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9021,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9026,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9031,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9036,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9041,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9046,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9051,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9056,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,9061,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11436,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11441,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11446,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11451,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11456,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11461,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11466,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11471,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11476,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11481,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11486,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11491,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11496,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11501,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11506,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11511,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11516,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11521,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11526,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11531,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11536,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11541,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11546,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11551,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11556,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11561,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11566,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a_2.json,11571,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1344,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1349,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1354,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1359,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1364,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1369,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1374,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1379,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1384,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,1389,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3009,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3014,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3019,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3024,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3029,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3034,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3039,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3044,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3049,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3054,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3059,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3064,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3069,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3074,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3079,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3084,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3089,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3094,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3099,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3104,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3109,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3114,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3119,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3124,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3129,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3134,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3139,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3144,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3149,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3154,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3159,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3164,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3169,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3174,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3179,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3184,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3189,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3194,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3199,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3204,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3209,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3214,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3219,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3224,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3229,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3234,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3239,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3244,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3249,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3254,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3259,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3264,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3269,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,3274,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6309,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6314,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6319,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6324,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6329,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6334,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6339,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6344,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6349,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6354,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6359,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6364,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6369,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6374,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6379,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6384,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6389,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6394,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6399,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6404,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,6409,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8589,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8594,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8599,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8604,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8609,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8614,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8619,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8624,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8629,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8634,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8639,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8644,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8649,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8654,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8659,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8664,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8669,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8674,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8679,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8684,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8689,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8694,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8699,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8704,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8709,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8714,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8719,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_4.json,8724,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1344,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1349,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1354,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1359,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1364,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1369,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1374,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1379,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1384,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,1389,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3009,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3014,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3019,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3024,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3029,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3034,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3039,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3044,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3049,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3054,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3059,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3064,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3069,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3074,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3079,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3084,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3089,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3094,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3099,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3104,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3109,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3114,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3119,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3124,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3129,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3134,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3139,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3144,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3149,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3154,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3159,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3164,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3169,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3174,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3179,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3184,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3189,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3194,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3199,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3204,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3209,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3214,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3219,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3224,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3229,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3234,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3239,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3244,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3249,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3254,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3259,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3264,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3269,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,3274,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6309,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6314,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6319,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6324,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6329,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6334,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6339,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6344,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6349,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6354,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6359,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6364,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6369,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6374,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6379,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6384,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6389,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6394,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6399,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6404,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,6409,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8589,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8594,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8599,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8604,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8609,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8614,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8619,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8624,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8629,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8634,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8639,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8644,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8649,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8654,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8659,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8664,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8669,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8674,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8679,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8684,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8689,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8694,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8699,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8704,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8709,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8714,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8719,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_5.json,8724,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1344,entity.target.,"""name"": ""entity.target.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1349,entity.target.,"""name"": ""entity.target.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1354,entity.target.,"""name"": ""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1359,entity.target.,"""name"": ""entity.target.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1364,entity.target.,"""name"": ""entity.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1369,entity.target.,"""name"": ""entity.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1374,entity.target.,"""name"": ""entity.target.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1379,entity.target.,"""name"": ""entity.target.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1384,entity.target.,"""name"": ""entity.target.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,1389,entity.target.,"""name"": ""entity.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3009,host.target.,"""name"": ""host.target.architecture"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3014,host.target.,"""name"": ""host.target.boot.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3019,host.target.,"""name"": ""host.target.cpu.usage"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3024,host.target.,"""name"": ""host.target.disk.read.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3029,host.target.,"""name"": ""host.target.disk.write.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3034,host.target.,"""name"": ""host.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3039,host.target.,"""name"": ""host.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3044,host.target.,"""name"": ""host.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3049,host.target.,"""name"": ""host.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3054,host.target.,"""name"": ""host.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3059,host.target.,"""name"": ""host.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3064,host.target.,"""name"": ""host.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3069,host.target.,"""name"": ""host.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3074,host.target.,"""name"": ""host.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3079,host.target.,"""name"": ""host.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3084,host.target.,"""name"": ""host.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3089,host.target.,"""name"": ""host.target.geo.city_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3094,host.target.,"""name"": ""host.target.geo.continent_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3099,host.target.,"""name"": ""host.target.geo.continent_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3104,host.target.,"""name"": ""host.target.geo.country_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3109,host.target.,"""name"": ""host.target.geo.country_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3114,host.target.,"""name"": ""host.target.geo.location"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3119,host.target.,"""name"": ""host.target.geo.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3124,host.target.,"""name"": ""host.target.geo.postal_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3129,host.target.,"""name"": ""host.target.geo.region_iso_code"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3134,host.target.,"""name"": ""host.target.geo.region_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3139,host.target.,"""name"": ""host.target.geo.timezone"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3144,host.target.,"""name"": ""host.target.hostname"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3149,host.target.,"""name"": ""host.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3154,host.target.,"""name"": ""host.target.ip"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3159,host.target.,"""name"": ""host.target.mac"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3164,host.target.,"""name"": ""host.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3169,host.target.,"""name"": ""host.target.network.egress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3174,host.target.,"""name"": ""host.target.network.egress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3179,host.target.,"""name"": ""host.target.network.ingress.bytes"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3184,host.target.,"""name"": ""host.target.network.ingress.packets"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3189,host.target.,"""name"": ""host.target.os.family"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3194,host.target.,"""name"": ""host.target.os.full"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3199,host.target.,"""name"": ""host.target.os.full.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3204,host.target.,"""name"": ""host.target.os.kernel"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3209,host.target.,"""name"": ""host.target.os.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3214,host.target.,"""name"": ""host.target.os.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3219,host.target.,"""name"": ""host.target.os.platform"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3224,host.target.,"""name"": ""host.target.os.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3229,host.target.,"""name"": ""host.target.os.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3234,host.target.,"""name"": ""host.target.pid_ns_ino"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3239,host.target.,"""name"": ""host.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3244,host.target.,"""name"": ""host.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3249,host.target.,"""name"": ""host.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3254,host.target.,"""name"": ""host.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3259,host.target.,"""name"": ""host.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3264,host.target.,"""name"": ""host.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3269,host.target.,"""name"": ""host.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,3274,host.target.,"""name"": ""host.target.uptime"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6309,service.target.,"""name"": ""service.target.address"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6314,service.target.,"""name"": ""service.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6319,service.target.,"""name"": ""service.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6324,service.target.,"""name"": ""service.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6329,service.target.,"""name"": ""service.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6334,service.target.,"""name"": ""service.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6339,service.target.,"""name"": ""service.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6344,service.target.,"""name"": ""service.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6349,service.target.,"""name"": ""service.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6354,service.target.,"""name"": ""service.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6359,service.target.,"""name"": ""service.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6364,service.target.,"""name"": ""service.target.environment"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6369,service.target.,"""name"": ""service.target.ephemeral_id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6374,service.target.,"""name"": ""service.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6379,service.target.,"""name"": ""service.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6384,service.target.,"""name"": ""service.target.node.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6389,service.target.,"""name"": ""service.target.node.role"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6394,service.target.,"""name"": ""service.target.node.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6399,service.target.,"""name"": ""service.target.state"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6404,service.target.,"""name"": ""service.target.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,6409,service.target.,"""name"": ""service.target.version"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8589,user.target.,"""name"": ""user.target.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8594,user.target.,"""name"": ""user.target.email"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8599,user.target.,"""name"": ""user.target.entity.display_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8604,user.target.,"""name"": ""user.target.entity.display_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8609,user.target.,"""name"": ""user.target.entity.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8614,user.target.,"""name"": ""user.target.entity.last_seen_timestamp"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8619,user.target.,"""name"": ""user.target.entity.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8624,user.target.,"""name"": ""user.target.entity.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8629,user.target.,"""name"": ""user.target.entity.reference"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8634,user.target.,"""name"": ""user.target.entity.source"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8639,user.target.,"""name"": ""user.target.entity.sub_type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8644,user.target.,"""name"": ""user.target.entity.type"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8649,user.target.,"""name"": ""user.target.full_name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8654,user.target.,"""name"": ""user.target.full_name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8659,user.target.,"""name"": ""user.target.group.domain"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8664,user.target.,"""name"": ""user.target.group.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8669,user.target.,"""name"": ""user.target.group.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8674,user.target.,"""name"": ""user.target.hash"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8679,user.target.,"""name"": ""user.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8684,user.target.,"""name"": ""user.target.name"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8689,user.target.,"""name"": ""user.target.name.text"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8694,user.target.,"""name"": ""user.target.risk.calculated_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8699,user.target.,"""name"": ""user.target.risk.calculated_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8704,user.target.,"""name"": ""user.target.risk.calculated_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8709,user.target.,"""name"": ""user.target.risk.static_level"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8714,user.target.,"""name"": ""user.target.risk.static_score"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8719,user.target.,"""name"": ""user.target.risk.static_score_norm"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/e8b37f18-4804-4819-8602-4aba1169c9f4_6.json,8724,user.target.,"""name"": ""user.target.roles"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,6,entity.target.,"""description"": ""Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS accoun..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,23,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,37,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_107.json,39,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Customer-Managed Policy Attached to Role by Rare User\n\nThis rule detects when a customer-managed IAM policy is attached to a role by an unusual or unauthorized user. This act..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,6,entity.target.,"""description"": ""Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS accoun..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,23,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,37,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_108.json,39,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Customer-Managed Policy Attached to Role by Rare User\n\nThis rule detects when a customer-managed IAM policy is attached to a role by an unusual or unauthorized user. This act..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,6,entity.target.,"""description"": ""Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS accoun..."
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,23,entity.target.,"""entity.target.id"","
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,37,entity.target.,"""entity.target.id"""
+C,security_detection_engine,,packages/security_detection_engine/kibana/security_rule/f6d07a70-9ad0-11ef-954f-f661ea17fbcd_109.json,39,entity.target.,"""note"": ""## Triage and analysis\n\n### Investigating AWS IAM Customer-Managed Policy Attached to Role by Rare User\n\nThis rule detects when a customer-managed IAM policy is attached to a role by an unusual or unauthorized user. This act..."
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,225,user.target.,name: user.target.group.domain
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,227,user.target.,name: user.target.group.id
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,229,user.target.,name: user.target.group.name
+B,sysmon_linux,log,packages/sysmon_linux/data_stream/log/fields/ecs.yml,231,user.target.,name: user.target.name
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3594,user.target.,//TargetUserSid to user.id or user.target.id
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3607,user.target.,"ctx.user.target.put(""id"", targetUserId);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3611,user.target.,//TargetUserName to related.user and user.name or user.target.name
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3625,user.target.,"ctx.user.target.put(""name"", tun[0]);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3639,user.target.,//TargetUserDomain to user.domain or user.target.domain
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3652,user.target.,"ctx.user.target.put(""domain"", ctx.winlog.event_data.TargetDomainName);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3734,user.target.,"ctx.user.target.put(""name"", memberName);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3740,user.target.,"ctx.user.target.put(""domain"", domain);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3775,user.target.,"ctx.user.target.put(""group"", hm);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3778,user.target.,"ctx.user.target.group.put(""id"", ctx.group.id);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3781,user.target.,"ctx.user.target.group.put(""name"", ctx.group.name);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3784,user.target.,"ctx.user.target.group.put(""domain"", ctx.group.domain);"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3901,user.target.,"if (userId != null && userId != """" && userId != ""-"") ctx.user.target.id = userId;"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3904,user.target.,ctx.user.target.name = userName;
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3907,user.target.,ctx.user.target.name = parts[0];
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3913,user.target.,if (!ctx.related.user.contains(ctx.user.target.name)) {
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3914,user.target.,ctx.related.user.add(ctx.user.target.name);
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3918,user.target.,"if (userDomain != null && userDomain != """" && userDomain != ""-"") ctx.user.target.domain = userDomain;"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3919,user.target.,"if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove(""target"");"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,4413,user.target.,field: user.target.name
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,4448,user.target.,"description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass"
+A,system,security,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,4481,user.target.,"ctx.user.target.put(""name"", cnValue);"
+C,system,,packages/system/kibana/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af.json,116,user.target.,"""sourceField"": ""user.target.name"""
+C,system,,packages/system/kibana/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af.json,300,user.target.,"""sourceField"": ""user.target.name"""
+C,system,,packages/system/kibana/dashboard/system-2c4debf0-ef4f-4379-99a1-c57c307f23af.json,577,user.target.,"""sourceField"": ""user.target.domain"""
+C,system,,packages/system/kibana/search/system-135250ac-861d-43cf-9bfb-ce04a39c2ed9.json,9,user.target.,"""user.target.id"","
+C,system,,packages/system/kibana/search/system-5dd71405-86d2-4eab-a3d5-088f71889e94.json,10,user.target.,"""user.target.name"","
+C,system,,packages/system/kibana/search/system-8947d1c6-6a3a-4b5d-890e-6f59d3d8f1e9.json,9,user.target.,"""user.target.id"","
+C,system,,packages/system/kibana/search/system-f21d4873-7987-480e-8110-1fda397c3e0d.json,5,user.target.,"""user.target.name"","
+C,system,,packages/system/kibana/search/system-f21d4873-7987-480e-8110-1fda397c3e0d.json,6,user.target.,"""user.target.domain"","
+C,system,,packages/system/kibana/search/system-f6a50ac5-d9cd-469c-8169-0d4fc5c0bef5.json,5,user.target.,"""user.target.name"","
+C,system,,packages/system/kibana/search/system-f6a50ac5-d9cd-469c-8169-0d4fc5c0bef5.json,6,user.target.,"""user.target.domain"","
+C,system,,packages/system/kibana/search/system-f6dbb7a7-25a5-4d42-9e64-8cb6cd9e173c.json,5,user.target.,"""user.target.name"","
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,317,user.target.,field: user.target.id
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,329,user.target.,field: user.target.name
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,335,user.target.,field: user.target.name
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,336,user.target.,target_field: user.target.email
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,338,user.target.,"if: ctx.user?.target?.name != null && ctx.user.target.name.indexOf(""@"") > 0"
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,340,user.target.,field: user.target.email
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,341,user.target.,pattern: '%{user.target.name}@%{user.target.domain}'
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,349,user.target.,value: '{{{user.target.name}}}'
+A,tenable_io,audit,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,355,user.target.,value: '{{{user.target.email}}}'
+A,trend_micro_vision_one,endpoint_activity,packages/trend_micro_vision_one/data_stream/endpoint_activity/elasticsearch/ingest_pipeline/default.yml,1150,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,167,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,168,user.target.,target_field: user.target.email
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,172,user.target.,field: user.target.email
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,173,user.target.,pattern: '%{user.target.name}@%{user.target.domain}'
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,180,user.target.,"value: ""{{{user.target.name}}}"""
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,186,user.target.,"value: ""{{{user.target.email}}}"""
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml,174,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,63,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,78,user.target.,field: user.target.id
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,44,user.target.,field: user.target.id
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,49,user.target.,value: '{{{user.target.id}}}'
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,87,user.target.,field: user.target.name
+A,vectra_detect,log,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml,286,user.target.,field: user.target.name
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-74869ba0-bcb3-11ed-837c-8b9d01cca76e.json,203,user.target.,"""sourceField"": ""user.target.name"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-74869ba0-bcb3-11ed-837c-8b9d01cca76e.json,225,user.target.,"""sourceField"": ""user.target.id"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-ce341d40-b91f-11ed-a75d-1d76b4fe7223.json,121,user.target.,"""sourceField"": ""user.target.id"""
+C,vectra_detect,,packages/vectra_detect/kibana/dashboard/vectra_detect-d517be50-bcbc-11ed-837c-8b9d01cca76e.json,204,user.target.,"""sourceField"": ""user.target.name"""
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3229,user.target.,//TargetUserSid to user.id or user.target.id
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3242,user.target.,"ctx.user.target.put(""id"", targetUserId);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3246,user.target.,//TargetUserName to related.user and user.name or user.target.name
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3260,user.target.,"ctx.user.target.put(""name"", tun[0]);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3274,user.target.,//TargetUserDomain to user.domain or user.target.domain
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3287,user.target.,"ctx.user.target.put(""domain"", ctx.winlog.event_data.TargetDomainName);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3330,user.target.,"ctx.user.target.put(""name"", memberName);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3336,user.target.,"ctx.user.target.put(""domain"", domain);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3371,user.target.,"ctx.user.target.put(""group"", hm);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3374,user.target.,"ctx.user.target.group.put(""id"", ctx.group.id);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3377,user.target.,"ctx.user.target.group.put(""name"", ctx.group.name);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3380,user.target.,"ctx.user.target.group.put(""domain"", ctx.group.domain);"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3494,user.target.,"if (userId != null && userId != """" && userId != ""-"") ctx.user.target.id = userId;"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3497,user.target.,ctx.user.target.name = userName;
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3500,user.target.,ctx.user.target.name = parts[0];
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3506,user.target.,if (!ctx.related.user.contains(ctx.user.target.name)) {
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3507,user.target.,ctx.related.user.add(ctx.user.target.name);
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3511,user.target.,"if (userDomain != null && userDomain != """" && userDomain != ""-"") ctx.user.target.domain = userDomain;"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3512,user.target.,"if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove(""target"");"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3928,user.target.,field: user.target.name
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3963,user.target.,"description: Parse ObjectDN for event 5136 to set user.target.name, group.name based on ObjectClass"
+A,windows,forwarded,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3996,user.target.,"ctx.user.target.put(""name"", cnValue);"
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,281,user.target.,name: user.target.group.domain
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,283,user.target.,name: user.target.group.id
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,285,user.target.,name: user.target.group.name
+B,windows,forwarded,packages/windows/data_stream/forwarded/fields/ecs.yml,287,user.target.,name: user.target.name
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,239,user.target.,name: user.target.group.domain
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,241,user.target.,name: user.target.group.id
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,243,user.target.,name: user.target.group.name
+B,windows,sysmon_operational,packages/windows/data_stream/sysmon_operational/fields/ecs.yml,245,user.target.,name: user.target.name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,50,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,54,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,62,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,66,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,70,user.target.,field: user.target.full_name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,74,user.target.,field: user.target.name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,108,user.target.,"value: ""{{{user.target.id}}}"""
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,117,user.target.,# set user.target.* from old_values
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,120,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,124,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,128,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,132,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,136,user.target.,field: user.target.full_name
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,141,user.target.,# set user.target.* from user.* without overriding old_values.
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,145,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,151,user.target.,field: user.target.id
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,157,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,163,user.target.,field: user.target.email
+A,zoom,webhook,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,169,user.target.,field: user.target.full_name
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,231,user.target.,ctx.user.target.roles = new ArrayList();
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,233,user.target.,ctx.user.target.email = valuesMap?.email;
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,235,user.target.,ctx.user.target.roles.add(roles[i].name);
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,263,user.target.,ctx.user.target.id = valuesMap?.id;
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,264,user.target.,ctx.user.target.email = valuesMap?.email;
+A,zscaler_zpa,audit,packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,265,user.target.,ctx.user.target.name = valuesMap?.name;
diff --git a/dev/target-fields-audit/out/target_fields_audit_summary.md b/dev/target-fields-audit/out/target_fields_audit_summary.md
new file mode 100644
index 00000000000..d3fd141a7e9
--- /dev/null
+++ b/dev/target-fields-audit/out/target_fields_audit_summary.md
@@ -0,0 +1,101 @@
+# ECS `*.target.*` audit summary
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-13T12:51:29Z
+- **integration packages scanned:** 445
+- **evidence rows (matches):** 1826
+
+Prefixes scanned: `host.target.`, `user.target.`, `service.target.`, `entity.target.`
+
+## Confidence labels
+
+| Label | Meaning |
+| --- | --- |
+| **high** | At least one hit under **Tier A** (ingest pipeline YAML). Strongest signal that documents may receive these fields at ingest. |
+| **medium** | Hits only under **Tier B** (field YAML). Declared schema; not proof the pipeline populates it. |
+| **low** | Hits only under **Tier C** (Kibana JSON). Saved objects referencing field names; not ingest. |
+
+If a package has multiple tiers, the label reflects the **strongest** tier present.
+
+## Unique packages by tier and prefix
+
+### Tier A — Pipeline
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 2 |
+| user.target. | 28 |
+| service.target. | 3 |
+| entity.target. | 2 |
+
+### Tier B — Fields
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 3 |
+| user.target. | 11 |
+| service.target. | 4 |
+| entity.target. | 2 |
+
+### Tier C — Kibana JSON
+
+| matched_prefix | unique_packages |
+| --- | --- |
+| host.target. | 1 |
+| user.target. | 8 |
+| service.target. | 1 |
+| entity.target. | 1 |
+
+## Tier A — unique (package, data_stream) pairs
+
+36
+
+## Integrations with hits — full list
+
+Every package under `packages/` that produced at least one evidence row, sorted by package name.
+
+| package | confidence | tiers | rows_A | rows_B | rows_C | prefixes_seen |
+| --- | --- | --- | --- | --- | --- | --- |
+| amazon_security_lake | high | A+C | 14 | 0 | 3 | user.target |
+| atlassian_bitbucket | high | A | 7 | 0 | 0 | user.target |
+| atlassian_confluence | high | A | 16 | 0 | 0 | user.target |
+| atlassian_jira | high | A | 10 | 0 | 0 | user.target |
+| auditd | medium | B | 0 | 4 | 0 | user.target |
+| auditd_manager | medium | B | 0 | 4 | 0 | user.target |
+| aws | high | A+B | 6 | 4 | 0 | host.target, user.target, service.target, entity.target |
+| box_events | high | A | 9 | 0 | 0 | user.target |
+| canva | high | A+C | 6 | 0 | 1 | user.target |
+| cisco_duo | high | A | 1 | 0 | 0 | user.target |
+| crowdstrike | high | A | 7 | 0 | 0 | user.target |
+| cyberarkpas | high | A | 14 | 0 | 0 | user.target |
+| fim | medium | B | 0 | 4 | 0 | user.target |
+| gcp | high | A+B | 5 | 4 | 0 | host.target, user.target, service.target, entity.target |
+| github | high | A+C | 8 | 0 | 9 | user.target |
+| google_workspace | high | A | 27 | 0 | 0 | user.target |
+| hid_bravura_monitor | medium | B | 0 | 4 | 0 | user.target |
+| hpe_aruba_cx | high | A+B | 1 | 1 | 0 | service.target |
+| keycloak | high | A | 2 | 0 | 0 | user.target |
+| mattermost | high | A+C | 13 | 0 | 1 | user.target |
+| microsoft_sqlserver | high | A | 2 | 0 | 0 | user.target |
+| mysql_enterprise | high | A+B | 2 | 2 | 0 | user.target |
+| netskope | high | A | 1 | 0 | 0 | user.target |
+| o365 | high | A | 11 | 0 | 0 | user.target |
+| okta | high | A | 6 | 0 | 0 | user.target |
+| osquery_manager | medium | B | 0 | 19 | 0 | host.target, user.target, service.target |
+| pad | low | C | 0 | 0 | 11 | user.target |
+| qnap_nas | high | A+B | 1 | 1 | 0 | user.target |
+| security_detection_engine | low | C | 0 | 0 | 1466 | host.target, user.target, service.target, entity.target |
+| sysmon_linux | medium | B | 0 | 4 | 0 | user.target |
+| system | high | A+C | 22 | 0 | 11 | user.target |
+| tenable_io | high | A | 9 | 0 | 0 | user.target |
+| trend_micro_vision_one | high | A | 1 | 0 | 0 | user.target |
+| vectra_detect | high | A+C | 13 | 0 | 4 | user.target |
+| windows | high | A+B | 22 | 8 | 0 | user.target |
+| zoom | high | A | 19 | 0 | 0 | user.target |
+| zscaler_zpa | high | A | 6 | 0 | 0 | user.target |
+
+## Totals
+
+- **integration packages scanned:** 445
+- **unique packages with any hit:** 37
+- **unique packages with Tier A hit:** 29
diff --git a/dev/target-fields-audit/out/vendor_target_special_cases.csv b/dev/target-fields-audit/out/vendor_target_special_cases.csv
new file mode 100644
index 00000000000..f5adf7c806a
--- /dev/null
+++ b/dev/target-fields-audit/out/vendor_target_special_cases.csv
@@ -0,0 +1,1954 @@
+package,data_stream,source,file,line,field_path,namespace_class,suggest_bucket
+1password,signin_attempts,ingest_pipeline,packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml,103,onepassword.target_user.email,other_vendor_or_nested,likely_user_target_or_entity
+1password,signin_attempts,ingest_pipeline,packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml,95,onepassword.target_user.name,other_vendor_or_nested,likely_user_target_or_entity
+1password,signin_attempts,ingest_pipeline,packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml,91,onepassword.target_user.uuid,other_vendor_or_nested,likely_user_target_or_entity
+airlock_digital,agent,ingest_pipeline,packages/airlock_digital/data_stream/agent/elasticsearch/ingest_pipeline/default.yml,533,airlock_digital.agent.poilcy_details.targetvers,vendor_root,entity_target_generic
+airlock_digital,agent,fields_yml_nested,packages/airlock_digital/data_stream/agent/fields/fields.yml,152,airlock_digital.agent.poilcy_details.targetvers,vendor_root,entity_target_generic
+airlock_digital,agent,ingest_pipeline,packages/airlock_digital/data_stream/agent/elasticsearch/ingest_pipeline/default.yml,531,json.policy_details.targetvers,other_vendor_or_nested,entity_target_generic
+airlock_digital,agent,expected_json,packages/airlock_digital/data_stream/agent/_dev/test/pipeline/test-agent.log-expected.json,0,targetvers,other_vendor_or_nested,entity_target_generic
+amazon_security_lake,event,expected_json,packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+amazon_security_lake,event,expected_json,packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,159,user.target.domain,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,6,user.target.domain,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,164,user.target.email,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,11,user.target.email,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,175,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,22,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,191,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,38,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,201,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,48,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,206,user.target.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,53,user.target.id,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml,217,user.target.name,ecs_top_level,likely_user_target_or_entity
+amazon_security_lake,event,ingest_pipeline,packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml,64,user.target.name,ecs_top_level,likely_user_target_or_entity
+apache_spark,driver,fields_yml_nested,packages/apache_spark/data_stream/driver/fields/fields.yml,197,apache_spark.driver.executors.target,vendor_root,entity_target_generic
+atlassian_bitbucket,audit,expected_json,packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_bitbucket,audit,expected_json,packages/atlassian_bitbucket/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_confluence,audit,expected_json,packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_confluence,audit,expected_json,packages/atlassian_confluence/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_jira,audit,expected_json,packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-api.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_jira,audit,expected_json,packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-cloud.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+atlassian_jira,audit,expected_json,packages/atlassian_jira/data_stream/audit/_dev/test/pipeline/test-audit-files.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd,log,expected_json,packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-raw.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd,log,expected_json,packages/auditd/data_stream/log/_dev/test/pipeline/test-auditd-useradd.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,expected_json,packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-centos7-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,expected_json,packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-passwd-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,expected_json,packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-useradd-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,81,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,83,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,73,user.target.id,ecs_top_level,likely_user_target_or_entity
+auditd_manager,auditd,fields_yml_flat,packages/auditd_manager/data_stream/auditd/fields/ecs.yml,75,user.target.name,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,CreateTrafficMirrorTargetRequest,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,CreateTrafficMirrorTargetResponse,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_flat,packages/aws/data_stream/elb_metrics/fields/fields.yml,227,TCP_Target_Reset_Count.sum,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json,0,TargetBucket,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json,0,TargetPrefix,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_flat,packages/aws/data_stream/elb_metrics/fields/fields.yml,164,TargetResponseTime.avg,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_flat,packages/aws/data_stream/elb_metrics/fields/fields.yml,215,TargetTLSNegotiationErrorCount.sum,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json,0,TrafficMirrorTargetId,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,175,_tmp.target_port,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,180,_tmp.target_status_code,other_vendor_or_nested,entity_target_generic
+aws,elb_metrics,fields_yml_nested,packages/aws/data_stream/elb_metrics/fields/fields.yml,254,aws.dimensions.TargetGroup,vendor_root,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,176,aws.elb.target_port,vendor_root,entity_target_generic
+aws,elb_logs,ingest_pipeline,packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml,181,aws.elb.target_status_code,vendor_root,entity_target_generic
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1917,aws.guardduty.service.runtime_details.context.mount_target,vendor_root,likely_service_target_or_entity
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1945,aws.guardduty.service.runtime_details.context.target_process,vendor_root,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log-expected.json,0,backupTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,275,entity.target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,278,entity.target.id,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,260,host.target,ecs_top_level,likely_host_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,263,host.target.entity,ecs_top_level,likely_host_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,266,host.target.entity.id,ecs_top_level,likely_host_target_or_entity
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1916,json.service.runtimeDetails.context.mountTarget,other_vendor_or_nested,likely_service_target_or_entity
+aws,guardduty,ingest_pipeline,packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml,1944,json.service.runtimeDetails.context.targetProcess,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log-expected.json,0,mountTargetId,other_vendor_or_nested,entity_target_generic
+aws,guardduty,expected_json,packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json,0,mount_target,other_vendor_or_nested,entity_target_generic
+aws,guardduty,fields_yml_nested,packages/aws/data_stream/guardduty/fields/fields.yml,1089,service.runtime_details.context.mount_target,other_vendor_or_nested,likely_service_target_or_entity
+aws,guardduty,fields_yml_nested,packages/aws/data_stream/guardduty/fields/fields.yml,1110,service.runtime_details.context.target_process,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,242,service.target,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,245,service.target.entity,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,248,service.target.entity.id,other_vendor_or_nested,likely_service_target_or_entity
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-permission-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-group-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-role-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-attach-user-role-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-egress-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-authorize-security-group-ingress-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-batch-get-secret-value-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-converse-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json-minimal.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-copy-object-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-control-channel-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-detector-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-document-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-stack-set-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-topic-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-response-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-filter-rule-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trust-anchor-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-alarms-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-db-instance-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-detector-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-file-system-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-flow-log-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-global-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-log-stream-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-mount-target-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-entry-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-network-acl-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-resolver-query-log-config-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-rule-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-web-acl-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-disable-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-bucket-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-caller-identity-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameter-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-parameters-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-password-data-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-get-secret-value-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-list-attached-role-policies-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-cluster-snapshot-attribute-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-instance-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-db-snapshot-attributte-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-image-attribute-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-modify-snapshot-attribute-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-publish-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-logging-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-replication-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-bucket-versioning-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-put-object-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-s3-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-restore-db-instnace-from-snapshot-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-schedule-key-deletion-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-serial-console-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-session-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-configuration-recorder.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-cluster-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-db-instance-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-subscribe-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-terminate-session-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-assume-role-policy-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json-flattened.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json-keyword.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,200,target.entity,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,203,target.entity.id,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-all-json.log-expected.json,0,targetCount,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json,0,targetCount,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-open-control-channel-json.log-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,expected_json,packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json,0,target_group,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,fields_yml_flat,packages/aws/data_stream/elb_logs/fields/fields.yml,12,target_group.arn,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,expected_json,packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json,0,target_port,other_vendor_or_nested,entity_target_generic
+aws,guardduty,expected_json,packages/aws/data_stream/guardduty/_dev/test/pipeline/test-guardduty.log-expected.json,0,target_process,other_vendor_or_nested,entity_target_generic
+aws,elb_logs,expected_json,packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json,0,target_status_code,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-send-command-targets-json.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,trafficMirrorTarget,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-session-request-json.log-expected.json,0,trafficMirrorTargetId,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,expected_json,packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-traffic-mirror-target-json.log-expected.json,0,trafficMirrorTargetId,other_vendor_or_nested,entity_target_generic
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,224,user.target,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,227,user.target.entity,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,fields_yml_nested,packages/aws/data_stream/cloudtrail/fields/fields.yml,230,user.target.entity.id,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,ingest_pipeline,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1934,user.target.id,ecs_top_level,likely_user_target_or_entity
+aws,cloudtrail,ingest_pipeline,packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml,1946,user.target.name,ecs_top_level,likely_user_target_or_entity
+aws_bedrock_agentcore,metrics,fields_yml_flat,packages/aws_bedrock_agentcore/data_stream/metrics/fields/fields.yml,97,TargetExecutionTime.avg,other_vendor_or_nested,entity_target_generic
+aws_bedrock_agentcore,metrics,fields_yml_flat,packages/aws_bedrock_agentcore/data_stream/metrics/fields/fields.yml,57,TargetType_LAMBDA.sum,other_vendor_or_nested,entity_target_generic
+aws_bedrock_agentcore,metrics,fields_yml_flat,packages/aws_bedrock_agentcore/data_stream/metrics/fields/fields.yml,53,TargetType_MCP.sum,other_vendor_or_nested,entity_target_generic
+aws_bedrock_agentcore,gateway_application_logs,expected_json,packages/aws_bedrock_agentcore/data_stream/gateway_application_logs/_dev/test/pipeline/test-aws-bedrock-agentcore-gateway.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+aws_securityhub,finding,fields_yml_nested,packages/aws_securityhub/data_stream/finding/fields/fields.yml,283,aws_securityhub.finding.anomaly_analyses.analysis_targets,vendor_root,entity_target_generic
+aws_securityhub,finding,fields_yml_nested,packages/aws_securityhub/data_stream/finding/fields/fields.yml,286,aws_securityhub.finding.anomaly_analyses.analysis_targets.name,vendor_root,entity_target_generic
+aws_securityhub,finding,fields_yml_nested,packages/aws_securityhub/data_stream/finding/fields/fields.yml,289,aws_securityhub.finding.anomaly_analyses.analysis_targets.type,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,280,azure.provisioning.properties.targetIdentity,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,332,azure.provisioning.properties.targetSystem,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,281,azure.provisioning.properties.target_identity,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,284,azure.provisioning.properties.target_identity.Id,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,288,azure.provisioning.properties.target_identity.Name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,296,azure.provisioning.properties.target_identity.details.DisplayName,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,300,azure.provisioning.properties.target_identity.details.UserPrincipalName,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,297,azure.provisioning.properties.target_identity.details.display_name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,301,azure.provisioning.properties.target_identity.details.user_principal_name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,285,azure.provisioning.properties.target_identity.id,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,292,azure.provisioning.properties.target_identity.identityType,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,293,azure.provisioning.properties.target_identity.identity_type,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,289,azure.provisioning.properties.target_identity.name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,333,azure.provisioning.properties.target_system,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,336,azure.provisioning.properties.target_system.Id,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,340,azure.provisioning.properties.target_system.Name,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,344,azure.provisioning.properties.target_system.details.ApplicationId,vendor_root,likely_service_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,348,azure.provisioning.properties.target_system.details.ServicePrincipalDisplayName,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,352,azure.provisioning.properties.target_system.details.ServicePrincipalId,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,345,azure.provisioning.properties.target_system.details.application_id,vendor_root,likely_service_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,349,azure.provisioning.properties.target_system.details.dervice_principal_display_name,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,353,azure.provisioning.properties.target_system.details.service_principal_id,vendor_root,likely_user_target_or_entity
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,337,azure.provisioning.properties.target_system.id,vendor_root,entity_target_generic
+azure,provisioning,ingest_pipeline,packages/azure/data_stream/provisioning/elasticsearch/ingest_pipeline/default.yml,341,azure.provisioning.properties.target_system.name,vendor_root,entity_target_generic
+azure,firewall_logs,ingest_pipeline,packages/azure/data_stream/firewall_logs/elasticsearch/ingest_pipeline/default.yml,124,json.properties.TargetUrl,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,202,properties.target_identity,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,216,properties.target_identity.details,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,207,properties.target_identity.id,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,213,properties.target_identity.identity_type,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,210,properties.target_identity.name,other_vendor_or_nested,likely_user_target_or_entity
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,74,properties.target_resources.*,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,77,properties.target_resources.*.display_name,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,81,properties.target_resources.*.id,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,89,properties.target_resources.*.ip_address,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,97,properties.target_resources.*.modified_properties.*,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,104,properties.target_resources.*.modified_properties.*.display_name,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,100,properties.target_resources.*.modified_properties.*.new_value,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,108,properties.target_resources.*.modified_properties.*.old_value,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,85,properties.target_resources.*.type,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,fields_yml_nested,packages/azure/data_stream/auditlogs/fields/fields.yml,93,properties.target_resources.*.user_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,219,properties.target_system,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,230,properties.target_system.details,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,234,properties.target_system.details.application_id,other_vendor_or_nested,likely_service_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,238,properties.target_system.details.dervice_principal_display_name,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,236,properties.target_system.details.service_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,224,properties.target_system.id,other_vendor_or_nested,entity_target_generic
+azure,provisioning,fields_yml_nested,packages/azure/data_stream/provisioning/fields/fields.yml,227,properties.target_system.name,other_vendor_or_nested,entity_target_generic
+azure,provisioning,expected_json,packages/azure/data_stream/provisioning/_dev/test/pipeline/test-provisioninglogs-raw.log-expected.json,0,target_identity,other_vendor_or_nested,likely_user_target_or_entity
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-duration-as-string.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-edgecases.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,auditlogs,expected_json,packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json,0,target_resources,other_vendor_or_nested,entity_target_generic
+azure,provisioning,expected_json,packages/azure/data_stream/provisioning/_dev/test/pipeline/test-provisioninglogs-raw.log-expected.json,0,target_system,other_vendor_or_nested,entity_target_generic
+azure_network_watcher_vnet,log,ingest_pipeline,packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml,88,azure_network_watcher_vnet.log.target_resource_id,vendor_root,entity_target_generic
+azure_network_watcher_vnet,log,fields_yml_nested,packages/azure_network_watcher_vnet/data_stream/log/fields/fields.yml,109,azure_network_watcher_vnet.log.target_resource_id,vendor_root,entity_target_generic
+azure_network_watcher_vnet,log,ingest_pipeline,packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml,86,json.targetResourceID,other_vendor_or_nested,entity_target_generic
+azure_network_watcher_vnet,log,expected_json,packages/azure_network_watcher_vnet/data_stream/log/_dev/test/pipeline/test-vnet.log-expected.json,0,target_resource_id,other_vendor_or_nested,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,502,bbot.data.scan_config.target.blacklist_hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,504,bbot.data.scan_config.target.hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,506,bbot.data.scan_config.target.scope_hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,508,bbot.data.scan_config.target.seed_hash,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,510,bbot.data.scan_config.target.seeds,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,512,bbot.data.scan_config.target.strict_scope,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,514,bbot.data.scan_config.target.whitelist,vendor_root,entity_target_generic
+bbot,asm_intel,fields_yml_flat,packages/bbot/data_stream/asm_intel/fields/fields.yml,516,bbot.data.scan_config.target.whitelist_hash,vendor_root,entity_target_generic
+bbot,asm_intel,expected_json,packages/bbot/data_stream/asm_intel/_dev/test/pipeline/test-bbot-v2-ndjson.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,fields_yml_nested,packages/bitdefender/data_stream/push_notifications/fields/fields.yml,216,bitdefender.event.targetName,vendor_root,entity_target_generic
+bitdefender,push_notifications,fields_yml_nested,packages/bitdefender/data_stream/push_notifications/fields/fields.yml,218,bitdefender.event.target_type,vendor_root,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification-jsonrpc.json-expected.json,0,targetName,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json,0,targetName,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification-jsonrpc.json-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+bitdefender,push_notifications,expected_json,packages/bitdefender/data_stream/push_notifications/_dev/test/pipeline/test-push-notification.json-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+bluecoat,director,fields_yml_nested,packages/bluecoat/data_stream/director/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+bluecoat,director,fields_yml_nested,packages/bluecoat/data_stream/director/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+bluecoat,director,fields_yml_nested,packages/bluecoat/data_stream/director/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+box_events,events,expected_json,packages/box_events/data_stream/events/_dev/test/pipeline/test-invite.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,662,user.target.domain,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,648,user.target.email,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,643,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,667,user.target.id,ecs_top_level,likely_user_target_or_entity
+box_events,events,ingest_pipeline,packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml,658,user.target.name,ecs_top_level,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,825,canva.audit.target.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,836,canva.audit.target.name,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,847,canva.audit.target.organization.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,852,canva.audit.target.owner.organization.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,857,canva.audit.target.owner.team.display_name,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,862,canva.audit.target.owner.team.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,867,canva.audit.target.owner.type,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,872,canva.audit.target.owner.user.display_name,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,883,canva.audit.target.owner.user.email,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,894,canva.audit.target.owner.user.id,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,905,canva.audit.target.resource_type,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,910,canva.audit.target.target_type,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,915,canva.audit.target.team.display_name,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,925,canva.audit.target.team.id,vendor_root,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,935,canva.audit.target.user.display_name,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,951,canva.audit.target.user.email,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,967,canva.audit.target.user.id,vendor_root,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,823,json.target.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,834,json.target.name,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,845,json.target.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,850,json.target.owner.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,855,json.target.owner.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,860,json.target.owner.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,865,json.target.owner.type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,870,json.target.owner.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,881,json.target.owner.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,892,json.target.owner.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,903,json.target.resource_type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,908,json.target.target_type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,913,json.target.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,923,json.target.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,933,json.target.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,949,json.target.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,965,json.target.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,expected_json,packages/canva/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,437,target.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,440,target.name,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,443,target.organization,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,446,target.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,449,target.owner,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,452,target.owner.organization,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,455,target.owner.organization.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,458,target.owner.team,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,461,target.owner.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,464,target.owner.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,467,target.owner.type,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,470,target.owner.user,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,473,target.owner.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,476,target.owner.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,479,target.owner.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,482,target.resource_type,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,485,target.target_type,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,488,target.team,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,491,target.team.display_name,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,494,target.team.id,other_vendor_or_nested,entity_target_generic
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,497,target.user,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,500,target.user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,503,target.user.email,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,fields_yml_nested,packages/canva/data_stream/audit/fields/fields.yml,506,target.user.id,other_vendor_or_nested,likely_user_target_or_entity
+canva,audit,expected_json,packages/canva/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,954,user.target.email,ecs_top_level,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,938,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+canva,audit,ingest_pipeline,packages/canva/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,970,user.target.id,ecs_top_level,likely_user_target_or_entity
+carbon_black_cloud,alert_v7,ingest_pipeline,packages/carbon_black_cloud/data_stream/alert_v7/elasticsearch/ingest_pipeline/default.yml,614,carbon_black_cloud.alert.device.target_value,vendor_root,likely_host_target_or_entity
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,397,carbon_black_cloud.endpoint_event.crossproc.target,vendor_root,entity_target_generic
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,372,carbon_black_cloud.endpoint_event.target_cmdline,vendor_root,entity_target_generic
+carbon_black_cloud,endpoint_event,fields_yml_nested,packages/carbon_black_cloud/data_stream/endpoint_event/fields/fields.yml,50,crossproc.target,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,fields_yml_nested,packages/carbon_black_cloud/data_stream/alert_v7/fields/fields.yml,191,device.target_value,other_vendor_or_nested,likely_host_target_or_entity
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,396,json.crossproc_target,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,ingest_pipeline,packages/carbon_black_cloud/data_stream/alert_v7/elasticsearch/ingest_pipeline/default.yml,613,json.device_target_value,other_vendor_or_nested,likely_host_target_or_entity
+carbon_black_cloud,endpoint_event,ingest_pipeline,packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml,371,json.target_cmdline,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,endpoint_event,expected_json,packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,endpoint_event,expected_json,packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json,0,target_cmdline,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbon_black_cloud,alert_v7,expected_json,packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log-expected.json,0,target_value,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,is_target,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,ingest_pipeline,packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml,139,json.target_create_time,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,ingest_pipeline,packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml,145,json.target_pid,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,link_target,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_create_time,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_md5,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_pid,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_process_guid,other_vendor_or_nested,entity_target_generic
+carbonblack_edr,log,expected_json,packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json,0,target_sha256,other_vendor_or_nested,entity_target_generic
+cef,log,expected_json,packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json,0,TrendMicroDsMalwareTarget,other_vendor_or_nested,entity_target_generic
+cef,log,expected_json,packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json,0,TrendMicroDsMalwareTargetType,other_vendor_or_nested,entity_target_generic
+cef,log,expected_json,packages/cef/data_stream/log/_dev/test/pipeline/test-trend-micro.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+checkpoint,firewall,fields_yml_nested,packages/checkpoint/data_stream/firewall/fields/fields.yml,1974,checkpoint.tasktargetid,vendor_root,entity_target_generic
+checkpoint,firewall,expected_json,packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-audit.log-expected.json,0,tasktargetid,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,139,cisco_duo.activity.old_target,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,143,cisco_duo.activity.old_target.details,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,154,cisco_duo.activity.target,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,158,cisco_duo.activity.target.details,vendor_root,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,138,json.old_target,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,ingest_pipeline,packages/cisco_duo/data_stream/activity/elasticsearch/ingest_pipeline/default.yml,153,json.target,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,157,old_target.details,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,161,old_target.key,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,165,old_target.name,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,169,old_target.type,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,expected_json,packages/cisco_duo/data_stream/activity/_dev/test/pipeline/test-activity.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cisco_duo,admin,expected_json,packages/cisco_duo/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,182,target.details,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,186,target.key,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,190,target.name,other_vendor_or_nested,entity_target_generic
+cisco_duo,activity,fields_yml_nested,packages/cisco_duo/data_stream/activity/fields/fields.yml,194,target.type,other_vendor_or_nested,entity_target_generic
+cisco_duo,admin,ingest_pipeline,packages/cisco_duo/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,147,user.target.name,ecs_top_level,likely_user_target_or_entity
+cisco_ise,log,expected_json,packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json,0,assigned_targets,other_vendor_or_nested,entity_target_generic
+cisco_ise,log,ingest_pipeline,packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml,149,cisco_ise.log.assigned_targets,vendor_root,entity_target_generic
+cisco_ise,log,ingest_pipeline,packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml,148,cisco_ise.log.log_details.AssignedTargets,vendor_root,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetCommandLineParameters,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetFileName,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetSHA256HashData,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetThreadId,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,expected_json,packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json,0,TargetThreadModule,other_vendor_or_nested,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1466,crowdstrike.SymbolicLinkTarget,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1739,crowdstrike.TargetAuthenticationId,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1486,crowdstrike.TargetCommandLineParameters,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1488,crowdstrike.TargetDomainControllerObjectGuid,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1490,crowdstrike.TargetDomainControllerObjectSid,vendor_root,entity_target_generic
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,2152,crowdstrike.TargetFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1492,crowdstrike.TargetFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1345,crowdstrike.TargetImageFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1741,crowdstrike.TargetIntegrityLevel,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1743,crowdstrike.TargetProcessCommandLine,vendor_root,entity_target_generic
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1106,crowdstrike.TargetProcessId,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1745,crowdstrike.TargetProcessImageFileName,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1494,crowdstrike.TargetSHA256HashData,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1496,crowdstrike.TargetThreadId,vendor_root,entity_target_generic
+crowdstrike,fdr,fields_yml_nested,packages/crowdstrike/data_stream/fdr/fields/fields.yml,1498,crowdstrike.TargetThreadModule,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,589,crowdstrike.alert.target,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1944,crowdstrike.alert.target.account_name,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,592,crowdstrike.alert.target.account_name,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1928,crowdstrike.alert.target.domain_controller_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,594,crowdstrike.alert.target.domain_controller_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1960,crowdstrike.alert.target.domain_controller_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,596,crowdstrike.alert.target.domain_controller_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1965,crowdstrike.alert.target.domain_controller_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,598,crowdstrike.alert.target.domain_controller_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1970,crowdstrike.alert.target.endpoint_account_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,600,crowdstrike.alert.target.endpoint_account_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1975,crowdstrike.alert.target.endpoint_account_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,602,crowdstrike.alert.target.endpoint_account_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1912,crowdstrike.alert.target.endpoint_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,604,crowdstrike.alert.target.endpoint_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1980,crowdstrike.alert.target.endpoint_sensor_id,vendor_root,entity_target_generic
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,606,crowdstrike.alert.target.endpoint_sensor_id,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1985,crowdstrike.alert.target.service_access_identifier,vendor_root,likely_service_target_or_entity
+crowdstrike,alert,fields_yml_nested,packages/crowdstrike/data_stream/alert/fields/fields.yml,608,crowdstrike.alert.target.service_access_identifier,vendor_root,likely_service_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1942,crowdstrike.alert.target_account_name,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1926,crowdstrike.alert.target_domain_controller_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1958,crowdstrike.alert.target_domain_controller_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1963,crowdstrike.alert.target_domain_controller_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1968,crowdstrike.alert.target_endpoint_account_object_guid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1973,crowdstrike.alert.target_endpoint_account_object_sid,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1910,crowdstrike.alert.target_endpoint_host_name,vendor_root,likely_host_target_or_entity
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1978,crowdstrike.alert.target_endpoint_sensor_id,vendor_root,entity_target_generic
+crowdstrike,alert,ingest_pipeline,packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1983,crowdstrike.alert.target_service_access_identifier,vendor_root,likely_service_target_or_entity
+crowdstrike,alert,expected_json,packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+crowdstrike,falcon,expected_json,packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1674,user.target.id,ecs_top_level,likely_user_target_or_entity
+crowdstrike,fdr,ingest_pipeline,packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml,1635,user.target.name,ecs_top_level,likely_user_target_or_entity
+cyberark_epm,policyaudit_raw_event,expected_json,packages/cyberark_epm/data_stream/policyaudit_raw_event/_dev/test/pipeline/test-policyaudit-raw-event.log-expected.json,0,access_target_name,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,expected_json,packages/cyberark_epm/data_stream/raw_event/_dev/test/pipeline/test-raw-event.log-expected.json,0,access_target_name,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_raw_event,expected_json,packages/cyberark_epm/data_stream/policyaudit_raw_event/_dev/test/pipeline/test-policyaudit-raw-event.log-expected.json,0,access_target_type,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,expected_json,packages/cyberark_epm/data_stream/raw_event/_dev/test/pipeline/test-raw-event.log-expected.json,0,access_target_type,other_vendor_or_nested,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,439,cyberark_epm.aggregated_event.last_event_access_target_name,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/aggregated_event/fields/fields.yml,70,cyberark_epm.aggregated_event.last_event_access_target_name,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,444,cyberark_epm.aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/aggregated_event/fields/fields.yml,72,cyberark_epm.aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,278,cyberark_epm.policyaudit_aggregated_event.last_event_access_target,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/fields/fields.yml,59,cyberark_epm.policyaudit_aggregated_event.last_event_access_target,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,283,cyberark_epm.policyaudit_aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/fields/fields.yml,61,cyberark_epm.policyaudit_aggregated_event.last_event_access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,134,cyberark_epm.policyaudit_raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_raw_event/fields/fields.yml,7,cyberark_epm.policyaudit_raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,139,cyberark_epm.policyaudit_raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,policyaudit_raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/policyaudit_raw_event/fields/fields.yml,9,cyberark_epm.policyaudit_raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,139,cyberark_epm.raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/raw_event/fields/fields.yml,10,cyberark_epm.raw_event.access_target_name,vendor_root,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,144,cyberark_epm.raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,raw_event,fields_yml_nested,packages/cyberark_epm/data_stream/raw_event/fields/fields.yml,13,cyberark_epm.raw_event.access_target_type,vendor_root,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,579,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,373,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,681,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,977,file.target_path,ecs_top_level,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,132,json.accessTargetName,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,137,json.accessTargetName,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_raw_event/elasticsearch/ingest_pipeline/default.yml,137,json.accessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,ingest_pipeline,packages/cyberark_epm/data_stream/raw_event/elasticsearch/ingest_pipeline/default.yml,142,json.accessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,276,json.lastEventAccessTarget,other_vendor_or_nested,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,437,json.lastEventAccessTargetName,other_vendor_or_nested,entity_target_generic
+cyberark_epm,aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/aggregated_event/elasticsearch/ingest_pipeline/default.yml,442,json.lastEventAccessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,ingest_pipeline,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/elasticsearch/ingest_pipeline/default.yml,281,json.lastEventAccessTargetType,other_vendor_or_nested,entity_target_generic
+cyberark_epm,policyaudit_aggregated_event,expected_json,packages/cyberark_epm/data_stream/policyaudit_aggregated_event/_dev/test/pipeline/test-policyaudit-aggregated-event.log-expected.json,0,last_event_access_target_type,other_vendor_or_nested,entity_target_generic
+cyberark_epm,raw_event,expected_json,packages/cyberark_epm/data_stream/raw_event/_dev/test/pipeline/test-raw-event.log-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+cyberarkpas,audit,expected_json,packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,554,cyera.event.target_classifications,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,267,cyera.event.target_classifications,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,270,cyera.event.target_classifications.name,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,273,cyera.event.target_classifications.uid,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,276,cyera.event.target_sensitivity,vendor_root,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,559,cyera.event.target_sensitivity.display_name,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,279,cyera.event.target_sensitivity.display_name,vendor_root,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,564,cyera.event.target_sensitivity.value,vendor_root,entity_target_generic
+cyera,event,fields_yml_nested,packages/cyera/data_stream/event/fields/fields.yml,282,cyera.event.target_sensitivity.value,vendor_root,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,542,json.targetClassifications,other_vendor_or_nested,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,562,json.targetSensitivity,other_vendor_or_nested,entity_target_generic
+cyera,event,ingest_pipeline,packages/cyera/data_stream/event/elasticsearch/ingest_pipeline/default.yml,557,json.targetSensitivityDisplayName,other_vendor_or_nested,entity_target_generic
+cyera,event,expected_json,packages/cyera/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_classifications,other_vendor_or_nested,entity_target_generic
+cyera,event,expected_json,packages/cyera/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_sensitivity,other_vendor_or_nested,entity_target_generic
+cylance,protect,fields_yml_nested,packages/cylance/data_stream/protect/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+cylance,protect,fields_yml_nested,packages/cylance/data_stream/protect/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+cylance,protect,fields_yml_nested,packages/cylance/data_stream/protect/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,ingest_pipeline,packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml,876,json.model.logic.targetScore,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,ingest_pipeline,packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml,877,json.model.logic.target_score,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,fields_yml_nested,packages/darktrace/data_stream/model_breach_alert/fields/fields.yml,282,model.logic.target_score,other_vendor_or_nested,entity_target_generic
+darktrace,model_breach_alert,expected_json,packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json,0,target_score,other_vendor_or_nested,entity_target_generic
+elasticsearch,index_recovery,fields_yml_flat,packages/elasticsearch/data_stream/index_recovery/fields/fields.yml,84,target.host,other_vendor_or_nested,likely_host_target_or_entity
+elasticsearch,index_recovery,fields_yml_flat,packages/elasticsearch/data_stream/index_recovery/fields/fields.yml,80,target.id,other_vendor_or_nested,entity_target_generic
+elasticsearch,index_recovery,fields_yml_flat,packages/elasticsearch/data_stream/index_recovery/fields/fields.yml,88,target.name,other_vendor_or_nested,entity_target_generic
+elasticsearch,index_recovery,fields_yml_flat,packages/elasticsearch/data_stream/index_recovery/fields/fields.yml,78,target.transport_address,other_vendor_or_nested,entity_target_generic
+endace,log,fields_yml_nested,packages/endace/data_stream/log/fields/package-fields.yml,308,netflow.dns_srv_target,other_vendor_or_nested,entity_target_generic
+endace,log,fields_yml_nested,packages/endace/data_stream/log/fields/package-fields.yml,548,netflow.http_request_target,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,34,eset_protect.device_task.action.params.scan_targets,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,42,eset_protect.device_task.targets,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,122,eset_protect.device_task.targets.device_groups_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,45,eset_protect.device_task.targets.device_groups_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,136,eset_protect.device_task.targets.devices_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,device_task,fields_yml_nested,packages/eset_protect/data_stream/device_task/fields/fields.yml,48,eset_protect.device_task.targets.devices_uuids,vendor_root,likely_host_target_or_entity
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,827,eset_protect.event.target,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,150,eset_protect.event.target,vendor_root,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,832,eset_protect.event.target_address,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,153,eset_protect.event.target_address,vendor_root,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,878,eset_protect.event.target_address_type,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,156,eset_protect.event.target_address_type,vendor_root,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,883,eset_protect.event.target_port,vendor_root,entity_target_generic
+eset_protect,event,fields_yml_nested,packages/eset_protect/data_stream/event/fields/fields.yml,159,eset_protect.event.target_port,vendor_root,entity_target_generic
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,94,json.action.params.scanTargets,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,96,json.action.params.scan_targets,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,825,json.target,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,830,json.target_address,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,876,json.target_address_type,other_vendor_or_nested,entity_target_generic
+eset_protect,event,ingest_pipeline,packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml,881,json.target_port,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,120,json.targets.deviceGroupsUuids,other_vendor_or_nested,likely_host_target_or_entity
+eset_protect,device_task,ingest_pipeline,packages/eset_protect/data_stream/device_task/elasticsearch/ingest_pipeline/default.yml,125,json.targets.devicesUuids,other_vendor_or_nested,likely_host_target_or_entity
+eset_protect,device_task,expected_json,packages/eset_protect/data_stream/device_task/_dev/test/pipeline/test-device-task.log-expected.json,0,scan_targets,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_address,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_address_type,other_vendor_or_nested,entity_target_generic
+eset_protect,event,expected_json,packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_port,other_vendor_or_nested,entity_target_generic
+eset_protect,device_task,expected_json,packages/eset_protect/data_stream/device_task/_dev/test/pipeline/test-device-task.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+falco,alerts,fields_yml_flat,packages/falco/data_stream/alerts/fields/fields.yml,410,fs.path.target,other_vendor_or_nested,entity_target_generic
+falco,alerts_agent,fields_yml_flat,packages/falco/data_stream/alerts_agent/fields/fields.yml,410,fs.path.target,other_vendor_or_nested,entity_target_generic
+fim,event,expected_json,packages/fim/data_stream/event/_dev/test/pipeline/test-etw-backend.json-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+forgerock,idm_sync,fields_yml_flat,packages/forgerock/data_stream/idm_sync/fields/forgerock-fields.yml,25,forgerock.targetObjectId,vendor_root,entity_target_generic
+forgerock,idm_core,expected_json,packages/forgerock/data_stream/idm_core/_dev/test/pipeline/test-idm-core.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+forgerock,idm_sync,expected_json,packages/forgerock/data_stream/idm_sync/_dev/test/pipeline/test-idm-sync.log-expected.json,0,targetObjectId,other_vendor_or_nested,entity_target_generic
+fortinet_forticlient,log,fields_yml_nested,packages/fortinet_forticlient/data_stream/log/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+fortinet_forticlient,log,fields_yml_nested,packages/fortinet_forticlient/data_stream/log/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+fortinet_forticlient,log,fields_yml_nested,packages/fortinet_forticlient/data_stream/log/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+fortinet_fortigate,log,fields_yml_nested,packages/fortinet_fortigate/data_stream/log/fields/fields.yml,1461,fortinet.firewall.slatargetid,other_vendor_or_nested,entity_target_generic
+fortinet_fortigate,log,expected_json,packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json,0,slatargetid,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,102,entity.target,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,105,entity.target.id,other_vendor_or_nested,entity_target_generic
+gcp,dns,ingest_pipeline,packages/gcp/data_stream/dns/elasticsearch/ingest_pipeline/default.yml,318,gcp.dns.target_type,vendor_root,entity_target_generic
+gcp,loadbalancing_logs,ingest_pipeline,packages/gcp/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml,180,gcp.load_balancer.target_proxy_name,vendor_root,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,87,host.target,ecs_top_level,likely_host_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,90,host.target.entity,ecs_top_level,likely_host_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,93,host.target.entity.id,ecs_top_level,likely_host_target_or_entity
+gcp,loadbalancing_logs,ingest_pipeline,packages/gcp/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml,179,json.resource.labels.target_proxy_name,other_vendor_or_nested,entity_target_generic
+gcp,dns,ingest_pipeline,packages/gcp/data_stream/dns/elasticsearch/ingest_pipeline/default.yml,319,json.resource.labels.target_type,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/fields.yml,264,labels.payload.targetVersion,ecs_top_level,entity_target_generic
+gcp,firewall,fields_yml_nested,packages/gcp/data_stream/firewall/fields/fields.yml,41,rule_details.target_service_account,other_vendor_or_nested,likely_service_target_or_entity
+gcp,firewall,fields_yml_nested,packages/gcp/data_stream/firewall/fields/fields.yml,29,rule_details.target_tag,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,69,service.target,other_vendor_or_nested,likely_service_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,72,service.target.entity,other_vendor_or_nested,likely_service_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,75,service.target.entity.id,other_vendor_or_nested,likely_service_target_or_entity
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-iamcredentials-googleapis-com.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-networks-disks-classification.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-user-entities.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-user-target-entities.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+gcp,audit,ingest_pipeline,packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,224,target.entity.id,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_flat,packages/gcp/data_stream/audit/fields/base-fields.yml,35,target.entity.id,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targetLink,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json,0,targetLink,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targetResource,other_vendor_or_nested,entity_target_generic
+gcp,audit,expected_json,packages/gcp/data_stream/audit/_dev/test/pipeline/test-cluster-notifications.json-expected.json,0,targetVersion,other_vendor_or_nested,entity_target_generic
+gcp,loadbalancing_logs,expected_json,packages/gcp/data_stream/loadbalancing_logs/_dev/test/pipeline/test-load-balancer.log-expected.json,0,target_proxy_name,other_vendor_or_nested,entity_target_generic
+gcp,firewall,expected_json,packages/gcp/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json,0,target_tag,other_vendor_or_nested,entity_target_generic
+gcp,dns,expected_json,packages/gcp/data_stream/dns/_dev/test/pipeline/test-dns-empty-rdata.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+gcp,dns,expected_json,packages/gcp/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,51,user.target,ecs_top_level,likely_user_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,54,user.target.entity,ecs_top_level,likely_user_target_or_entity
+gcp,audit,fields_yml_nested,packages/gcp/data_stream/audit/fields/base-fields.yml,57,user.target.entity.id,ecs_top_level,likely_user_target_or_entity
+gcp_vertexai,metrics,ingest_pipeline,packages/gcp_vertexai/data_stream/metrics/elasticsearch/ingest_pipeline/default.yml,61,gcp.metrics.prediction.online.target_replicas.value,other_vendor_or_nested,entity_target_generic
+gcp_vertexai,metrics,ingest_pipeline,packages/gcp_vertexai/data_stream/metrics/elasticsearch/ingest_pipeline/default.yml,62,gcp.vertexai.prediction.online.target_replicas,other_vendor_or_nested,entity_target_generic
+github,audit,fields_yml_nested,packages/github/data_stream/audit/fields/fields.yml,175,github.target_branch,vendor_root,entity_target_generic
+github,audit,expected_json,packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+github,audit,expected_json,packages/github/data_stream/audit/_dev/test/pipeline/test-organisation-audit-json.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+github,audit,expected_json,packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json,0,target_branch,other_vendor_or_nested,entity_target_generic
+github,audit,ingest_pipeline,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,123,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+github,audit,ingest_pipeline,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,258,user.target.id,ecs_top_level,likely_user_target_or_entity
+github,audit,ingest_pipeline,packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,94,user.target.name,ecs_top_level,likely_user_target_or_entity
+gitlab,api,fields_yml_nested,packages/gitlab/data_stream/api/fields/fields.yml,136,gitlab.api.target_duration_s,vendor_root,entity_target_generic
+gitlab,audit,fields_yml_nested,packages/gitlab/data_stream/audit/fields/fields.yml,17,gitlab.audit.target_details,vendor_root,entity_target_generic
+gitlab,audit,fields_yml_nested,packages/gitlab/data_stream/audit/fields/fields.yml,13,gitlab.audit.target_id,vendor_root,entity_target_generic
+gitlab,audit,fields_yml_nested,packages/gitlab/data_stream/audit/fields/fields.yml,15,gitlab.audit.target_type,vendor_root,entity_target_generic
+gitlab,production,fields_yml_nested,packages/gitlab/data_stream/production/fields/fields.yml,271,gitlab.production.target_duration_s,vendor_root,entity_target_generic
+gitlab,sidekiq,ingest_pipeline,packages/gitlab/data_stream/sidekiq/elasticsearch/ingest_pipeline/default.yml,1890,gitlab.sidekiq.target_duration_s,vendor_root,entity_target_generic
+gitlab,sidekiq,fields_yml_nested,packages/gitlab/data_stream/sidekiq/fields/fields.yml,461,gitlab.sidekiq.target_duration_s,vendor_root,entity_target_generic
+gitlab,sidekiq,ingest_pipeline,packages/gitlab/data_stream/sidekiq/elasticsearch/ingest_pipeline/default.yml,1902,gitlab.sidekiq.target_scheduling_latency_s,vendor_root,entity_target_generic
+gitlab,sidekiq,fields_yml_nested,packages/gitlab/data_stream/sidekiq/fields/fields.yml,463,gitlab.sidekiq.target_scheduling_latency_s,vendor_root,entity_target_generic
+gitlab,audit,expected_json,packages/gitlab/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_details,other_vendor_or_nested,entity_target_generic
+gitlab,api,expected_json,packages/gitlab/data_stream/api/_dev/test/pipeline/test-gitlab-api.log-expected.json,0,target_duration_s,other_vendor_or_nested,entity_target_generic
+gitlab,production,expected_json,packages/gitlab/data_stream/production/_dev/test/pipeline/test-gitlab-production.log-expected.json,0,target_duration_s,other_vendor_or_nested,entity_target_generic
+gitlab,audit,expected_json,packages/gitlab/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_id,other_vendor_or_nested,entity_target_generic
+gitlab,audit,expected_json,packages/gitlab/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+google_scc,asset,fields_yml_nested,packages/google_scc/data_stream/asset/fields/fields.yml,578,google_scc.asset.prior.related_assets.relationship_attributes.target_resource_type,vendor_root,entity_target_generic
+google_scc,asset,fields_yml_nested,packages/google_scc/data_stream/asset/fields/fields.yml,891,google_scc.asset.related_assets.relationship_attributes.target_resource_type,vendor_root,entity_target_generic
+google_scc,finding,fields_yml_nested,packages/google_scc/data_stream/finding/fields/fields.yml,239,google_scc.finding.exfiltration.targets,vendor_root,entity_target_generic
+google_scc,finding,fields_yml_nested,packages/google_scc/data_stream/finding/fields/fields.yml,242,google_scc.finding.exfiltration.targets.components,vendor_root,entity_target_generic
+google_scc,finding,fields_yml_nested,packages/google_scc/data_stream/finding/fields/fields.yml,245,google_scc.finding.exfiltration.targets.name,vendor_root,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml,450,json.asset.relatedAssets.relationshipAttributes.targetResourceType,other_vendor_or_nested,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml,451,json.asset.relatedAssets.relationship_attributes.target_resource_type,other_vendor_or_nested,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_prior_asset.yml,450,json.priorAsset.relatedAssets.relationshipAttributes.targetResourceType,other_vendor_or_nested,entity_target_generic
+google_scc,asset,ingest_pipeline,packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_prior_asset.yml,451,json.priorAsset.relatedAssets.relationship_attributes.target_resource_type,other_vendor_or_nested,entity_target_generic
+google_scc,asset,expected_json,packages/google_scc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json,0,target_resource_type,other_vendor_or_nested,entity_target_generic
+google_secops,alert,expected_json,packages/google_secops/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,TargetLinkedLogonId,other_vendor_or_nested,entity_target_generic
+google_secops,alert,expected_json,packages/google_secops/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1235,cloud.target.project.name,ecs_top_level,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,942,google_secops.alert.event.target,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,945,google_secops.alert.event.target.application,vendor_root,likely_service_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,948,google_secops.alert.event.target.asset,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,951,google_secops.alert.event.target.asset.assetId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,954,google_secops.alert.event.target.asset.hostname,vendor_root,likely_host_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1206,google_secops.alert.event.target.asset.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,957,google_secops.alert.event.target.asset.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,960,google_secops.alert.event.target.asset.mac,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,963,google_secops.alert.event.target.assetId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,966,google_secops.alert.event.target.cloud,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,969,google_secops.alert.event.target.cloud.environment,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,972,google_secops.alert.event.target.cloud.project,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1237,google_secops.alert.event.target.cloud.project.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,975,google_secops.alert.event.target.cloud.project.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,978,google_secops.alert.event.target.file,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,981,google_secops.alert.event.target.file.fullPath,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1240,google_secops.alert.event.target.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,984,google_secops.alert.event.target.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,987,google_secops.alert.event.target.file.md5,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,990,google_secops.alert.event.target.file.names,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,993,google_secops.alert.event.target.file.sha1,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,996,google_secops.alert.event.target.file.sha256,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,999,google_secops.alert.event.target.file.size,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1002,google_secops.alert.event.target.group,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1005,google_secops.alert.event.target.group.groupDisplayName,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1274,google_secops.alert.event.target.hostname,vendor_root,likely_host_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1008,google_secops.alert.event.target.hostname,vendor_root,likely_host_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1283,google_secops.alert.event.target.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1011,google_secops.alert.event.target.ip,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1014,google_secops.alert.event.target.labels,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1017,google_secops.alert.event.target.labels.key,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1019,google_secops.alert.event.target.labels.value,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1323,google_secops.alert.event.target.mac,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1021,google_secops.alert.event.target.mac,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1353,google_secops.alert.event.target.port,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1024,google_secops.alert.event.target.port,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1027,google_secops.alert.event.target.process,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1030,google_secops.alert.event.target.process.commandLine,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1033,google_secops.alert.event.target.process.file,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1370,google_secops.alert.event.target.process.file.firstSeenTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1036,google_secops.alert.event.target.process.file.firstSeenTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1039,google_secops.alert.event.target.process.file.fullPath,vendor_root,entity_target_generic
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1384,google_secops.alert.event.target.process.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1042,google_secops.alert.event.target.process.file.lastModificationTime,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1045,google_secops.alert.event.target.process.parentProcess,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1048,google_secops.alert.event.target.process.parentProcess.commandLine,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1051,google_secops.alert.event.target.process.parentProcess.file,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1054,google_secops.alert.event.target.process.parentProcess.file.fullPath,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1057,google_secops.alert.event.target.process.pid,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1060,google_secops.alert.event.target.process.productSpecificProcessId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1063,google_secops.alert.event.target.registry,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1066,google_secops.alert.event.target.registry.registryKey,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1069,google_secops.alert.event.target.registry.registryValueData,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1072,google_secops.alert.event.target.registry.registryValueName,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1075,google_secops.alert.event.target.resource,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1078,google_secops.alert.event.target.resource.attribute,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1081,google_secops.alert.event.target.resource.attribute.labels,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1084,google_secops.alert.event.target.resource.attribute.labels.key,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1086,google_secops.alert.event.target.resource.attribute.labels.value,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1088,google_secops.alert.event.target.resource.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1091,google_secops.alert.event.target.resource.productObjectId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1094,google_secops.alert.event.target.resource.resourceType,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1097,google_secops.alert.event.target.resourceAncestors,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1100,google_secops.alert.event.target.resourceAncestors.name,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1103,google_secops.alert.event.target.resourceAncestors.productObjectId,vendor_root,entity_target_generic
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1106,google_secops.alert.event.target.user,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1398,google_secops.alert.event.target.user.emailAddresses,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1109,google_secops.alert.event.target.user.emailAddresses,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1453,google_secops.alert.event.target.user.groupIdentifiers,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1112,google_secops.alert.event.target.user.groupIdentifiers,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1115,google_secops.alert.event.target.user.productObjectId,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1466,google_secops.alert.event.target.user.userDisplayName,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1118,google_secops.alert.event.target.user.userDisplayName,vendor_root,likely_user_target_or_entity
+google_secops,alert,ingest_pipeline,packages/google_secops/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,1471,google_secops.alert.event.target.user.userid,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1121,google_secops.alert.event.target.user.userid,vendor_root,likely_user_target_or_entity
+google_secops,alert,fields_yml_nested,packages/google_secops/data_stream/alert/fields/fields.yml,1124,google_secops.alert.event.target.user.windowsSid,vendor_root,likely_user_target_or_entity
+google_secops,alert,expected_json,packages/google_secops/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,chat,fields_yml_nested,packages/google_workspace/data_stream/chat/fields/fields.yml,61,google_workspace.chat.target_user_role,vendor_root,likely_user_target_or_entity
+google_workspace,chat,ingest_pipeline,packages/google_workspace/data_stream/chat/elasticsearch/ingest_pipeline/default.yml,380,google_workspace.chat.target_users,vendor_root,likely_user_target_or_entity
+google_workspace,chat,fields_yml_nested,packages/google_workspace/data_stream/chat/fields/fields.yml,64,google_workspace.chat.target_users,vendor_root,likely_user_target_or_entity
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,316,google_workspace.data_studio.target_domain,vendor_root,entity_target_generic
+google_workspace,data_studio,fields_yml_nested,packages/google_workspace/data_stream/data_studio/fields/fields.yml,48,google_workspace.data_studio.target_domain,vendor_root,entity_target_generic
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,321,google_workspace.data_studio.target_user_email,vendor_root,likely_user_target_or_entity
+google_workspace,data_studio,fields_yml_nested,packages/google_workspace/data_stream/data_studio/fields/fields.yml,51,google_workspace.data_studio.target_user_email,vendor_root,likely_user_target_or_entity
+google_workspace,drive,ingest_pipeline,packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml,217,google_workspace.drive.target,vendor_root,entity_target_generic
+google_workspace,drive,ingest_pipeline,packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml,216,google_workspace.drive.target_user,vendor_root,likely_user_target_or_entity
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,234,google_workspace.meet.target,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,935,google_workspace.meet.target.display_names,vendor_root,entity_target_generic
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,237,google_workspace.meet.target.display_names,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,945,google_workspace.meet.target.email,vendor_root,entity_target_generic
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,240,google_workspace.meet.target.email,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,969,google_workspace.meet.target.phone_number,vendor_root,entity_target_generic
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,243,google_workspace.meet.target.phone_number,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,979,google_workspace.meet.target.user_count,vendor_root,likely_user_target_or_entity
+google_workspace,meet,fields_yml_nested,packages/google_workspace/data_stream/meet/fields/fields.yml,246,google_workspace.meet.target.user_count,vendor_root,likely_user_target_or_entity
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,932,google_workspace.meet.target_display_names,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,943,google_workspace.meet.target_email,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,967,google_workspace.meet.target_phone_number,vendor_root,entity_target_generic
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,977,google_workspace.meet.target_user_count,vendor_root,likely_user_target_or_entity
+google_workspace,vault,ingest_pipeline,packages/google_workspace/data_stream/vault/elasticsearch/ingest_pipeline/default.yml,462,google_workspace.vault.target_user,vendor_root,likely_user_target_or_entity
+google_workspace,vault,fields_yml_nested,packages/google_workspace/data_stream/vault/fields/fields.yml,64,google_workspace.vault.target_user,vendor_root,likely_user_target_or_entity
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,admin,expected_json,packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,calendar,expected_json,packages/google_workspace/data_stream/calendar/_dev/test/pipeline/test-calendar.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,chat,expected_json,packages/google_workspace/data_stream/chat/_dev/test/pipeline/test-chat.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,data_studio,expected_json,packages/google_workspace/data_stream/data_studio/_dev/test/pipeline/test-data-studio.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,drive,expected_json,packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,groups,expected_json,packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,login,expected_json,packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,meet,expected_json,packages/google_workspace/data_stream/meet/_dev/test/pipeline/test-meet.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+google_workspace,data_studio,expected_json,packages/google_workspace/data_stream/data_studio/_dev/test/pipeline/test-data-studio.log-expected.json,0,target_domain,other_vendor_or_nested,entity_target_generic
+google_workspace,drive,expected_json,packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json,0,target_domain,other_vendor_or_nested,entity_target_generic
+google_workspace,drive,expected_json,packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,data_studio,expected_json,packages/google_workspace/data_stream/data_studio/_dev/test/pipeline/test-data-studio.log-expected.json,0,target_user_email,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,chat,expected_json,packages/google_workspace/data_stream/chat/_dev/test/pipeline/test-chat.log-expected.json,0,target_user_role,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,chat,expected_json,packages/google_workspace/data_stream/chat/_dev/test/pipeline/test-chat.log-expected.json,0,target_users,other_vendor_or_nested,likely_user_target_or_entity
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,314,user.target.domain,ecs_top_level,likely_user_target_or_entity
+google_workspace,calendar,ingest_pipeline,packages/google_workspace/data_stream/calendar/elasticsearch/ingest_pipeline/default.yml,410,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,chat,ingest_pipeline,packages/google_workspace/data_stream/chat/elasticsearch/ingest_pipeline/default.yml,378,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,data_studio,ingest_pipeline,packages/google_workspace/data_stream/data_studio/elasticsearch/ingest_pipeline/default.yml,319,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,948,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,vault,ingest_pipeline,packages/google_workspace/data_stream/vault/elasticsearch/ingest_pipeline/default.yml,460,user.target.email,ecs_top_level,likely_user_target_or_entity
+google_workspace,admin,ingest_pipeline,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1314,user.target.group.domain,ecs_top_level,likely_user_target_or_entity
+google_workspace,groups,ingest_pipeline,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,304,user.target.group.domain,ecs_top_level,likely_user_target_or_entity
+google_workspace,admin,ingest_pipeline,packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml,1310,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+google_workspace,groups,ingest_pipeline,packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml,300,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+google_workspace,meet,ingest_pipeline,packages/google_workspace/data_stream/meet/elasticsearch/ingest_pipeline/default.yml,953,user.target.name,ecs_top_level,likely_user_target_or_entity
+greenhouse,audit,fields_yml_nested,packages/greenhouse/data_stream/audit/fields/fields.yml,62,event.target_id,ecs_top_level,entity_target_generic
+greenhouse,audit,fields_yml_nested,packages/greenhouse/data_stream/audit/fields/fields.yml,66,event.target_type,ecs_top_level,entity_target_generic
+greenhouse,audit,ingest_pipeline,packages/greenhouse/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,181,greenhouse.audit.event.target_id,vendor_root,entity_target_generic
+greenhouse,audit,expected_json,packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json,0,target_id,other_vendor_or_nested,entity_target_generic
+greenhouse,audit,expected_json,packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,expected_json,packages/hid_bravura_monitor/data_stream/winlog/_dev/test/pipeline/test-hid-bravura-monitor-events.json-expected.json,0,FailedTargets,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,log,expected_json,packages/hid_bravura_monitor/data_stream/log/_dev/test/pipeline/test-hid-bravura-monitor.log-expected.json,0,targetid,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,ingest_pipeline,packages/hid_bravura_monitor/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml,38,winlog.event_data.FailedTargets,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,fields_yml_nested,packages/hid_bravura_monitor/data_stream/winlog/fields/winlog.yml,95,winlog.event_data.FailedTargets,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,fields_yml_nested,packages/hid_bravura_monitor/data_stream/winlog/fields/winlog.yml,206,winlog.event_data.Target,other_vendor_or_nested,entity_target_generic
+hid_bravura_monitor,winlog,fields_yml_nested,packages/hid_bravura_monitor/data_stream/winlog/fields/winlog.yml,208,winlog.event_data.TargetName,other_vendor_or_nested,entity_target_generic
+infoblox_bloxone_ddi,dns_data,ingest_pipeline,packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml,203,infoblox_bloxone_ddi.dns_data.rdata.target,vendor_root,entity_target_generic
+infoblox_bloxone_ddi,dns_data,ingest_pipeline,packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml,202,json.rdata.target,other_vendor_or_nested,entity_target_generic
+infoblox_bloxone_ddi,dns_data,fields_yml_nested,packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/fields.yml,166,rdata.target,other_vendor_or_nested,entity_target_generic
+infoblox_bloxone_ddi,dns_data,expected_json,packages/infoblox_bloxone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+island_browser,audit,expected_json,packages/island_browser/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_server,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,fields_yml_nested,packages/jamf_compliance_reporter/data_stream/log/fields/fields.yml,71,arguments.target,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,fields_yml_nested,packages/jamf_compliance_reporter/data_stream/log/fields/fields.yml,74,arguments.target.port,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,6,jamf_compliance_reporter.log.arguments.target.port,vendor_root,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,12,jamf_compliance_reporter.log.arguments.target.port,vendor_root,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,5,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,ingest_pipeline,packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,11,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jamf_compliance_reporter,log,expected_json,packages/jamf_compliance_reporter/data_stream/log/_dev/test/pipeline/test-pipeline-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,185,jamf_pro.events.event.target_device,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,190,jamf_pro.events.event.target_device.bluetooth_mac_address,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,194,jamf_pro.events.event.target_device.device_name,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,202,jamf_pro.events.event.target_device.icci_id,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,208,jamf_pro.events.event.target_device.imei,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,214,jamf_pro.events.event.target_device.model,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,204,jamf_pro.events.event.target_device.model_display,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,188,jamf_pro.events.event.target_device.os_build,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,212,jamf_pro.events.event.target_device.os_version,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,200,jamf_pro.events.event.target_device.product,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,192,jamf_pro.events.event.target_device.room,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,198,jamf_pro.events.event.target_device.serial_number,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,196,jamf_pro.events.event.target_device.udid,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,210,jamf_pro.events.event.target_device.user_directory_id,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,206,jamf_pro.events.event.target_device.version,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,216,jamf_pro.events.event.target_device.wifi_mac_address,vendor_root,likely_host_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,158,jamf_pro.events.event.target_user,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,171,jamf_pro.events.event.target_user.building_id,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,175,jamf_pro.events.event.target_user.department_id,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,161,jamf_pro.events.event.target_user.dn,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,181,jamf_pro.events.event.target_user.email,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,179,jamf_pro.events.event.target_user.password,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,173,jamf_pro.events.event.target_user.phone,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,177,jamf_pro.events.event.target_user.position,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,183,jamf_pro.events.event.target_user.realname,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,167,jamf_pro.events.event.target_user.room,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,165,jamf_pro.events.event.target_user.uid,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,163,jamf_pro.events.event.target_user.username,vendor_root,likely_user_target_or_entity
+jamf_pro,events,fields_yml_nested,packages/jamf_pro/data_stream/events/fields/fields.yml,169,jamf_pro.events.event.target_user.uuid,vendor_root,likely_user_target_or_entity
+jamf_pro,events,expected_json,packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json,0,target_device,other_vendor_or_nested,likely_host_target_or_entity
+jamf_pro,events,expected_json,packages/jamf_pro/data_stream/events/_dev/test/pipeline/test-scep-challenge.json-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+jamf_protect,telemetry_legacy,fields_yml_nested,packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml,50,arguments.target,other_vendor_or_nested,entity_target_generic
+jamf_protect,telemetry_legacy,fields_yml_nested,packages/jamf_protect/data_stream/telemetry_legacy/fields/fields.yml,53,arguments.target.port,other_vendor_or_nested,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,6,jamf_protect.telemetry.arguments.target.port,vendor_root,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,12,jamf_protect.telemetry.arguments.target.port,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_chroot.yml,12,jamf_protect.telemetry.event.chroot.target.path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,43,jamf_protect.telemetry.event.exec.target.audit_token.e_username,vendor_root,likely_user_target_or_entity
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,27,jamf_protect.telemetry.event.exec.target.audit_token.egid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,32,jamf_protect.telemetry.event.exec.target.audit_token.euid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,94,jamf_protect.telemetry.event.exec.target.audit_token.pid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,103,jamf_protect.telemetry.event.exec.target.audit_token.uuid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,55,jamf_protect.telemetry.event.exec.target.cdhash,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,161,jamf_protect.telemetry.event.exec.target.codesigning_flags,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,107,jamf_protect.telemetry.event.exec.target.executable.path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,59,jamf_protect.telemetry.event.exec.target.executable.sha1,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,63,jamf_protect.telemetry.event.exec.target.executable.sha256,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,51,jamf_protect.telemetry.event.exec.target.is_es_client,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,47,jamf_protect.telemetry.event.exec.target.is_platform_binary,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,188,jamf_protect.telemetry.event.exec.target.parent_audit_token.e_username,vendor_root,likely_user_target_or_entity
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,178,jamf_protect.telemetry.event.exec.target.parent_audit_token.euid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,201,jamf_protect.telemetry.event.exec.target.parent_audit_token.exec_path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,174,jamf_protect.telemetry.event.exec.target.parent_audit_token.pid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,192,jamf_protect.telemetry.event.exec.target.parent_audit_token.rgid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,183,jamf_protect.telemetry.event.exec.target.parent_audit_token.ruid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,197,jamf_protect.telemetry.event.exec.target.parent_audit_token.signing_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,170,jamf_protect.telemetry.event.exec.target.parent_audit_token.uuid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,222,jamf_protect.telemetry.event.exec.target.responsible_audit_token.e_username,vendor_root,likely_user_target_or_entity
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,217,jamf_protect.telemetry.event.exec.target.responsible_audit_token.euid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,240,jamf_protect.telemetry.event.exec.target.responsible_audit_token.exec_path,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,213,jamf_protect.telemetry.event.exec.target.responsible_audit_token.pid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,231,jamf_protect.telemetry.event.exec.target.responsible_audit_token.rgid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,226,jamf_protect.telemetry.event.exec.target.responsible_audit_token.ruid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,236,jamf_protect.telemetry.event.exec.target.responsible_audit_token.signing_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,209,jamf_protect.telemetry.event.exec.target.responsible_audit_token.uuid,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,153,jamf_protect.telemetry.event.exec.target.signing_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,23,jamf_protect.telemetry.event.exec.target.start_time,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,157,jamf_protect.telemetry.event.exec.target.team_id,vendor_root,entity_target_generic
+jamf_protect,telemetry,ingest_pipeline,packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_exec.yml,82,jamf_protect.telemetry.event.exec.target.tty.path,vendor_root,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml,5,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jamf_protect,telemetry_legacy,ingest_pipeline,packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml,11,json.arguments.target_port,other_vendor_or_nested,entity_target_generic
+jumpcloud,events,fields_yml_nested,packages/jumpcloud/data_stream/events/fields/fields.yml,470,jumpcloud.event.target_resource,vendor_root,entity_target_generic
+jumpcloud,events,fields_yml_nested,packages/jumpcloud/data_stream/events/fields/fields.yml,473,jumpcloud.event.target_resource.type,vendor_root,entity_target_generic
+juniper_junos,log,fields_yml_nested,packages/juniper_junos/data_stream/log/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+juniper_junos,log,fields_yml_nested,packages/juniper_junos/data_stream/log/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+juniper_junos,log,fields_yml_nested,packages/juniper_junos/data_stream/log/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+juniper_netscreen,log,fields_yml_nested,packages/juniper_netscreen/data_stream/log/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+juniper_netscreen,log,fields_yml_nested,packages/juniper_netscreen/data_stream/log/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+juniper_netscreen,log,fields_yml_nested,packages/juniper_netscreen/data_stream/log/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+jupiter_one,asset,fields_yml_nested,packages/jupiter_one/data_stream/asset/fields/fields.yml,261,jupiter_one.asset.properties.target_details,vendor_root,entity_target_generic
+jupiter_one,risks_and_alerts,fields_yml_nested,packages/jupiter_one/data_stream/risks_and_alerts/fields/fields.yml,261,jupiter_one.asset.properties.target_details,vendor_root,entity_target_generic
+jupiter_one,asset,fields_yml_nested,packages/jupiter_one/data_stream/asset/fields/fields.yml,264,jupiter_one.asset.properties.targets,vendor_root,entity_target_generic
+jupiter_one,risks_and_alerts,fields_yml_nested,packages/jupiter_one/data_stream/risks_and_alerts/fields/fields.yml,264,jupiter_one.asset.properties.targets,vendor_root,entity_target_generic
+keycloak,log,expected_json,packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+lumos,activity_logs,fields_yml_flat,packages/lumos/data_stream/activity_logs/fields/fields.yml,22,lumos.activity_logs.targets,vendor_root,entity_target_generic
+lumos,activity_logs,fields_yml_flat,packages/lumos/data_stream/activity_logs/fields/fields.yml,26,lumos.activity_logs.targets.name,vendor_root,entity_target_generic
+lumos,activity_logs,fields_yml_flat,packages/lumos/data_stream/activity_logs/fields/fields.yml,24,lumos.activity_logs.targets.target_type,vendor_root,entity_target_generic
+lumos,activity_logs,expected_json,packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json,0,target_type,other_vendor_or_nested,entity_target_generic
+lumos,activity_logs,expected_json,packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+m365_defender,event,expected_json,packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml,1776,Target.process.command_line,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_flat,packages/m365_defender/data_stream/event/fields/fields.yml,1213,Target.process.command_line,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml,1782,Target.process.executable,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_flat,packages/m365_defender/data_stream/event/fields/fields.yml,1219,Target.process.executable,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml,1770,Target.process.name,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_flat,packages/m365_defender/data_stream/event/fields/fields.yml,1207,Target.process.name,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,542,json.properties.QueryTarget,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,532,json.properties.TargetAccountDisplayName,other_vendor_or_nested,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,552,json.properties.TargetAccountUpn,other_vendor_or_nested,likely_user_target_or_entity
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,429,json.properties.TargetDeviceName,other_vendor_or_nested,likely_host_target_or_entity
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,543,m365_defender.event.query.target,vendor_root,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,533,m365_defender.event.target.account_display_name,vendor_root,entity_target_generic
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,553,m365_defender.event.target.account_upn,vendor_root,likely_user_target_or_entity
+m365_defender,event,ingest_pipeline,packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml,430,m365_defender.event.target.device_name,vendor_root,likely_host_target_or_entity
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,900,query.target,other_vendor_or_nested,entity_target_generic
+m365_defender,event,expected_json,packages/m365_defender/data_stream/event/_dev/test/pipeline/test-app-and-identity.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,1092,target.account_display_name,other_vendor_or_nested,entity_target_generic
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,1095,target.account_upn,other_vendor_or_nested,likely_user_target_or_entity
+m365_defender,event,fields_yml_nested,packages/m365_defender/data_stream/event/fields/fields.yml,1098,target.device_name,other_vendor_or_nested,likely_host_target_or_entity
+mattermost,audit,expected_json,packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+mattermost,audit,ingest_pipeline,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,127,user.target.id,ecs_top_level,likely_user_target_or_entity
+mattermost,audit,ingest_pipeline,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,131,user.target.name,ecs_top_level,likely_user_target_or_entity
+mattermost,audit,ingest_pipeline,packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,135,user.target.roles,ecs_top_level,likely_user_target_or_entity
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,244,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,247,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id.azure_resource_id,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,249,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id.target_resource_id,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,251,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.resource_id_as_target_node_id.target_resource_type,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,329,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.vulnerability_details.cpe.target_hardware,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,fields_yml_nested,packages/microsoft_defender_cloud/data_stream/assessment/fields/fields.yml,331,microsoft_defender_cloud.assessment.additional_data.sub_assessment.additional_data.vulnerability_details.cpe.target_software,vendor_root,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,resource_id_as_target_node_id,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_hardware,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_resource_id,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_resource_type,other_vendor_or_nested,entity_target_generic
+microsoft_defender_cloud,assessment,expected_json,packages/microsoft_defender_cloud/data_stream/assessment/_dev/test/pipeline/test-assessment.log-expected.json,0,target_software,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,expected_json,packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json,0,calculatetargetbackendlatency,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,59,microsoft.exchange.calculatetargetbackendlatency,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,53,microsoft.exchange.targetoutstandingrequests,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,39,microsoft.exchange.targetserver,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,fields_yml_flat,packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml,41,microsoft.exchange.targetserverversion,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,expected_json,packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json,0,targetserver,other_vendor_or_nested,entity_target_generic
+microsoft_exchange_server,httpproxy,expected_json,packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json,0,targetserverversion,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,258,json.properties.TargetDisplayNames,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,263,json.properties.TargetObjectIds,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,268,json.properties.Targets,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,260,microsoft_intune.audit.properties.target_display_names,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,90,microsoft_intune.audit.properties.target_display_names,vendor_root,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,265,microsoft_intune.audit.properties.target_object_ids,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,93,microsoft_intune.audit.properties.target_object_ids,vendor_root,entity_target_generic
+microsoft_intune,audit,ingest_pipeline,packages/microsoft_intune/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,337,microsoft_intune.audit.properties.targets,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,96,microsoft_intune.audit.properties.targets,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,99,microsoft_intune.audit.properties.targets.modified_properties,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,102,microsoft_intune.audit.properties.targets.modified_properties.name,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,105,microsoft_intune.audit.properties.targets.modified_properties.new,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,108,microsoft_intune.audit.properties.targets.modified_properties.old,vendor_root,entity_target_generic
+microsoft_intune,audit,fields_yml_nested,packages/microsoft_intune/data_stream/audit/fields/fields.yml,111,microsoft_intune.audit.properties.targets.name,vendor_root,entity_target_generic
+microsoft_intune,audit,expected_json,packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_display_names,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,expected_json,packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target_object_ids,other_vendor_or_nested,entity_target_generic
+microsoft_intune,audit,expected_json,packages/microsoft_intune/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+microsoft_sqlserver,performance,expected_json,packages/microsoft_sqlserver/data_stream/performance/_dev/test/pipeline/test-performance.json-expected.json,0,buffer_target_pages,other_vendor_or_nested,entity_target_generic
+microsoft_sqlserver,performance,fields_yml_nested,packages/microsoft_sqlserver/data_stream/performance/fields/fields.yml,94,mssql.metrics.buffer_target_pages,other_vendor_or_nested,entity_target_generic
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,53,sqlserver.audit.target_database_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,77,sqlserver.audit.target_database_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,50,sqlserver.audit.target_server_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1228,sqlserver.audit.target_server_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,71,sqlserver.audit.target_server_principal_name,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1231,sqlserver.audit.target_server_principal_sid,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,fields_yml_nested,packages/microsoft_sqlserver/data_stream/audit/fields/fields.yml,74,sqlserver.audit.target_server_principal_sid,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,expected_json,packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json,0,target_database_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,expected_json,packages/microsoft_sqlserver/data_stream/audit/_dev/test/pipeline/test-events.json-expected.json,0,target_server_principal_id,other_vendor_or_nested,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1230,user.target.id,ecs_top_level,likely_user_target_or_entity
+microsoft_sqlserver,audit,ingest_pipeline,packages/microsoft_sqlserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1227,user.target.name,ecs_top_level,likely_user_target_or_entity
+mimecast,threat_intel_malware_customer,fields_yml_nested,packages/mimecast/data_stream/threat_intel_malware_customer/fields/field.yml,69,mimecast.target_ref,vendor_root,entity_target_generic
+mimecast,threat_intel_malware_grid,fields_yml_nested,packages/mimecast/data_stream/threat_intel_malware_grid/fields/field.yml,49,mimecast.target_ref,vendor_root,entity_target_generic
+mongodb,log,expected_json,packages/mongodb/data_stream/log/_dev/test/pipeline/test-mongodb-ubuntu-4-4-4.log-expected.json,0,target_arch,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,255,mongodb_atlas.organization.target.username,vendor_root,likely_user_target_or_entity
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,251,mongodb_atlas.organization.target_public_key,vendor_root,entity_target_generic
+mongodb_atlas,process,fields_yml_nested,packages/mongodb_atlas/data_stream/process/fields/fields.yml,499,mongodb_atlas.process.query.targeting,vendor_root,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,365,mongodb_atlas.process.query.targeting.scanned_objects_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,process,fields_yml_nested,packages/mongodb_atlas/data_stream/process/fields/fields.yml,502,mongodb_atlas.process.query.targeting.scanned_objects_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,369,mongodb_atlas.process.query.targeting.scanned_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,process,fields_yml_nested,packages/mongodb_atlas/data_stream/process/fields/fields.yml,506,mongodb_atlas.process.query.targeting.scanned_per_returned,vendor_root,entity_target_generic
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,315,mongodb_atlas.project.target.username,vendor_root,likely_user_target_or_entity
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,311,mongodb_atlas.project.target_public_key,vendor_root,entity_target_generic
+mongodb_atlas,project,fields_yml_nested,packages/mongodb_atlas/data_stream/project/fields/fields.yml,149,mongodb_atlas.project.target_public_key,vendor_root,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,364,response.QUERY_TARGETING_SCANNED_OBJECTS_PER_RETURNED,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,process,ingest_pipeline,packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml,368,response.QUERY_TARGETING_SCANNED_PER_RETURNED,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,250,response.targetPublicKey,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,310,response.targetPublicKey,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,ingest_pipeline,packages/mongodb_atlas/data_stream/organization/elasticsearch/ingest_pipeline/default.yml,254,response.targetUsername,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,project,ingest_pipeline,packages/mongodb_atlas/data_stream/project/elasticsearch/ingest_pipeline/default.yml,314,response.targetUsername,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,organization,expected_json,packages/mongodb_atlas/data_stream/organization/_dev/test/pipeline/test-mongodb-organization.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,project,expected_json,packages/mongodb_atlas/data_stream/project/_dev/test/pipeline/test-project.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,fields_yml_flat,packages/mongodb_atlas/data_stream/organization/fields/fields.yml,94,target.username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,project,fields_yml_flat,packages/mongodb_atlas/data_stream/project/fields/fields.yml,152,target.username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,organization,expected_json,packages/mongodb_atlas/data_stream/organization/_dev/test/pipeline/test-mongodb-organization.json-expected.json,0,target_public_key,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,project,expected_json,packages/mongodb_atlas/data_stream/project/_dev/test/pipeline/test-project.json-expected.json,0,target_public_key,other_vendor_or_nested,entity_target_generic
+mongodb_atlas,organization,expected_json,packages/mongodb_atlas/data_stream/organization/_dev/test/pipeline/test-mongodb-organization.json-expected.json,0,target_username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,project,expected_json,packages/mongodb_atlas/data_stream/project/_dev/test/pipeline/test-project.json-expected.json,0,target_username,other_vendor_or_nested,likely_user_target_or_entity
+mongodb_atlas,process,expected_json,packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json-expected.json,0,targeting,other_vendor_or_nested,entity_target_generic
+mysql_enterprise,audit,expected_json,packages/mysql_enterprise/data_stream/audit/_dev/test/pipeline/test-mysql-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+netflow,log,fields_yml_nested,packages/netflow/data_stream/log/fields/package-fields.yml,308,netflow.dns_srv_target,vendor_root,entity_target_generic
+netflow,log,fields_yml_nested,packages/netflow/data_stream/log/fields/package-fields.yml,548,netflow.http_request_target,vendor_root,entity_target_generic
+netscout,sightline,fields_yml_nested,packages/netscout/data_stream/sightline/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+netscout,sightline,fields_yml_nested,packages/netscout/data_stream/sightline/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+netscout,sightline,fields_yml_nested,packages/netscout/data_stream/sightline/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+netskope,alerts,fields_yml_nested,packages/netskope/data_stream/alerts/fields/fields.yml,243,breach.target_references,other_vendor_or_nested,entity_target_generic
+netskope,alerts,expected_json,packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json,0,target_references,other_vendor_or_nested,entity_target_generic
+netskope,alerts_events_v2,ingest_pipeline,packages/netskope/data_stream/alerts_events_v2/elasticsearch/ingest_pipeline/pipeline_events_v2.yml,882,user.target.email,ecs_top_level,likely_user_target_or_entity
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol.yml,219,cassandra.response.event.schema_change.target,other_vendor_or_nested,entity_target_generic
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol.yml,114,cassandra.response.result.schema_change.target,other_vendor_or_nested,entity_target_generic
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol_ecs.yml,219,response.event.schema_change.target,other_vendor_or_nested,entity_target_generic
+network_traffic,cassandra,fields_yml_nested,packages/network_traffic/data_stream/cassandra/fields/protocol_ecs.yml,114,response.result.schema_change.target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json,0,Target,other_vendor_or_nested,entity_target_generic
+o365,audit,fields_yml_nested,packages/o365/data_stream/audit/fields/fields.yml,643,Target.ID,other_vendor_or_nested,entity_target_generic
+o365,audit,fields_yml_nested,packages/o365/data_stream/audit/fields/fields.yml,645,Target.Type,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,TargetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json,0,TargetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json,0,TargetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,TargetId_ServicePrincipalNames,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json,0,TargetUserOrGroupName,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json,0,TargetUserOrGroupType,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,additionalTargets,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1567,o365audit.Target,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,82,o365audit.TargetFilePath,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1155,o365audit.TargetUserId,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,1171,o365audit.TargetYammerUserId,other_vendor_or_nested,likely_user_target_or_entity
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetContextId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetIncludedUpdatedProperties,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetName,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetObjectId,other_vendor_or_nested,entity_target_generic
+o365,audit,expected_json,packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json,0,targetSPN,other_vendor_or_nested,entity_target_generic
+o365,audit,ingest_pipeline,packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,682,user.target.id,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,308,json.target,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,309,okta.target,vendor_root,entity_target_generic
+okta,system,fields_yml_flat,packages/okta/data_stream/system/fields/fields.yml,136,okta.target,vendor_root,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,552,okta_target_group.display_name,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,556,okta_target_group.id,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,540,okta_target_user.display_name,other_vendor_or_nested,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,544,okta_target_user.id,other_vendor_or_nested,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,548,okta_target_user.login,other_vendor_or_nested,likely_user_target_or_entity
+okta,system,expected_json,packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+okta,system,expected_json,packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-no-flattened-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+okta,system,expected_json,packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-yes-flattened-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,547,user.target.email,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,539,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,555,user.target.group.id,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,551,user.target.group.name,ecs_top_level,likely_user_target_or_entity
+okta,system,ingest_pipeline,packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml,543,user.target.id,ecs_top_level,likely_user_target_or_entity
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,35,oracle.memory.aggregate_pga_auto_target,vendor_root,entity_target_generic
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,40,oracle.memory.aggregate_pga_target_parameter,vendor_root,entity_target_generic
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,36,oracle.memory.pga.aggregate_auto_target,vendor_root,entity_target_generic
+oracle,memory,ingest_pipeline,packages/oracle/data_stream/memory/elasticsearch/ingest_pipeline/default.yml,41,oracle.memory.pga.aggregate_target_parameter,vendor_root,entity_target_generic
+oracle,memory,fields_yml_nested,packages/oracle/data_stream/memory/fields/fields.yml,32,pga.aggregate_auto_target,other_vendor_or_nested,entity_target_generic
+oracle,memory,fields_yml_nested,packages/oracle/data_stream/memory/fields/fields.yml,47,pga.aggregate_target_parameter,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11619,osquery.shortcut_target_location,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11624,osquery.shortcut_target_location.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11628,osquery.shortcut_target_path,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11635,osquery.shortcut_target_path.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11639,osquery.shortcut_target_type,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,11644,osquery.shortcut_target_type.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12614,osquery.symlink_target_path,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12619,osquery.symlink_target_path.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12712,osquery.target,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12718,osquery.target_creation_time,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12723,osquery.target_creation_time.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12727,osquery.target_last_accessed_time,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12732,osquery.target_last_accessed_time.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12736,osquery.target_modification_time,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12741,osquery.target_modification_time.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12745,osquery.target_name,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12750,osquery.target_name.text,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12754,osquery.target_path,other_vendor_or_nested,entity_target_generic
+osquery_manager,result,fields_yml_nested,packages/osquery_manager/data_stream/result/fields/osquery.yml,12761,osquery.target_path.text,other_vendor_or_nested,entity_target_generic
+pps,log,fields_yml_flat,packages/pps/data_stream/log/fields/fields.yml,10,pps.entry.target.name,vendor_root,entity_target_generic
+pps,log,fields_yml_flat,packages/pps/data_stream/log/fields/fields.yml,16,pps.entry.target.username,vendor_root,likely_user_target_or_entity
+pps,log,expected_json,packages/pps/data_stream/log/_dev/test/pipeline/test-log.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+prisma_cloud,alert,expected_json,packages/prisma_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json,0,targetGrants,other_vendor_or_nested,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,414,json.targetFileName,other_vendor_or_nested,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,419,json.targetSiteName,other_vendor_or_nested,entity_target_generic
+proofpoint_itm,report,fields_yml_nested,packages/proofpoint_itm/data_stream/report/fields/fields.yml,120,proofpoint_itm.report.target,vendor_root,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,416,proofpoint_itm.report.target.file_name,vendor_root,entity_target_generic
+proofpoint_itm,report,fields_yml_nested,packages/proofpoint_itm/data_stream/report/fields/fields.yml,123,proofpoint_itm.report.target.file_name,vendor_root,entity_target_generic
+proofpoint_itm,report,ingest_pipeline,packages/proofpoint_itm/data_stream/report/elasticsearch/ingest_pipeline/default.yml,421,proofpoint_itm.report.target.site_name,vendor_root,entity_target_generic
+proofpoint_itm,report,fields_yml_nested,packages/proofpoint_itm/data_stream/report/fields/fields.yml,125,proofpoint_itm.report.target.site_name,vendor_root,entity_target_generic
+proofpoint_itm,report,expected_json,packages/proofpoint_itm/data_stream/report/_dev/test/pipeline/test-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+qnap_nas,log,expected_json,packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+radware,defensepro,fields_yml_nested,packages/radware/data_stream/defensepro/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+radware,defensepro,fields_yml_nested,packages/radware/data_stream/defensepro/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+radware,defensepro,fields_yml_nested,packages/radware/data_stream/defensepro/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+sailpoint_identity_sc,events,fields_yml_nested,packages/sailpoint_identity_sc/data_stream/events/fields/event-fields.yml,173,sailpoint_identity_sc.events.target,vendor_root,likely_user_target_or_entity
+sailpoint_identity_sc,events,fields_yml_nested,packages/sailpoint_identity_sc/data_stream/events/fields/event-fields.yml,176,sailpoint_identity_sc.events.target.name,vendor_root,likely_user_target_or_entity
+sailpoint_identity_sc,events,expected_json,packages/sailpoint_identity_sc/data_stream/events/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+santa,log,ingest_pipeline,packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml,44,file.target_path,ecs_top_level,entity_target_generic
+santa,log,expected_json,packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,864,json.targetProcessInfo.tgtFileCreatedAt,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,960,json.targetProcessInfo.tgtFileHashSha1,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,896,json.targetProcessInfo.tgtFileHashSha256,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,950,json.targetProcessInfo.tgtFileId,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,876,json.targetProcessInfo.tgtFileIsSigned,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,938,json.targetProcessInfo.tgtFileModifiedAt,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,881,json.targetProcessInfo.tgtFileOldPath,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,989,json.targetProcessInfo.tgtFilePath,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,928,json.targetProcessInfo.tgtProcCmdLine,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,886,json.targetProcessInfo.tgtProcImagePath,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,955,json.targetProcessInfo.tgtProcIntegrityLevel,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,933,json.targetProcessInfo.tgtProcName,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,913,json.targetProcessInfo.tgtProcPid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,891,json.targetProcessInfo.tgtProcSignedStatus,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,908,json.targetProcessInfo.tgtProcStorylineId,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,972,json.targetProcessInfo.tgtProcUid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,977,json.targetProcessInfo.tgtProcessStartTime,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,961,sentinel_one.alert.target.process.file.hash.sha1,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,897,sentinel_one.alert.target.process.file.hash.sha256,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,951,sentinel_one.alert.target.process.file.id,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,877,sentinel_one.alert.target.process.file.is_signed,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,882,sentinel_one.alert.target.process.file.old_path,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,990,sentinel_one.alert.target.process.file.path,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,929,sentinel_one.alert.target.process.proc.cmdline,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,887,sentinel_one.alert.target.process.proc.image_path,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,956,sentinel_one.alert.target.process.proc.integrity_level,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,934,sentinel_one.alert.target.process.proc.name,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,914,sentinel_one.alert.target.process.proc.pid,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,892,sentinel_one.alert.target.process.proc.signed_status,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,909,sentinel_one.alert.target.process.proc.storyline_id,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,973,sentinel_one.alert.target.process.proc.uid,vendor_root,entity_target_generic
+sentinel_one,alert,ingest_pipeline,packages/sentinel_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml,978,sentinel_one.alert.target.process.start_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,346,sentinel_one.unified_alert.detection_time.target_user,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,628,sentinel_one.unified_alert.detection_time.target_user.domain,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,349,sentinel_one.unified_alert.detection_time.target_user.domain,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,633,sentinel_one.unified_alert.detection_time.target_user.email_address,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,352,sentinel_one.unified_alert.detection_time.target_user.email_address,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,638,sentinel_one.unified_alert.detection_time.target_user.name,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,355,sentinel_one.unified_alert.detection_time.target_user.name,vendor_root,likely_user_target_or_entity
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,396,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,469,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,407,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,472,sentinel_one.unified_alert.slo_details.time_to_resolve_data.target_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,468,sentinel_one.unified_alert.slo_details.time_to_response_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,493,sentinel_one.unified_alert.slo_details.time_to_response_data.target,vendor_root,entity_target_generic
+sentinel_one,unified_alert,ingest_pipeline,packages/sentinel_one/data_stream/unified_alert/elasticsearch/ingest_pipeline/default.yml,479,sentinel_one.unified_alert.slo_details.time_to_response_data.target_time,vendor_root,entity_target_generic
+sentinel_one,unified_alert,fields_yml_nested,packages/sentinel_one/data_stream/unified_alert/fields/fields.yml,496,sentinel_one.unified_alert.slo_details.time_to_response_data.target_time,vendor_root,entity_target_generic
+sentinel_one,alert,expected_json,packages/sentinel_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sentinel_one,unified_alert,expected_json,packages/sentinel_one/data_stream/unified_alert/_dev/test/pipeline/test-pipeline-unified-alert.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,205,target.process,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,208,target.process.file,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,211,target.process.file.hash,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,214,target.process.file.hash.sha1,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,217,target.process.file.hash.sha256,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,220,target.process.file.id,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,223,target.process.file.is_signed,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,226,target.process.file.old_path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,229,target.process.file.path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,232,target.process.proc,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,235,target.process.proc.cmdline,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,238,target.process.proc.image_path,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,241,target.process.proc.integrity_level,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,244,target.process.proc.name,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,247,target.process.proc.pid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,250,target.process.proc.signed_status,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,253,target.process.proc.storyline_id,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,256,target.process.proc.uid,other_vendor_or_nested,entity_target_generic
+sentinel_one,alert,fields_yml_nested,packages/sentinel_one/data_stream/alert/fields/fields.yml,259,target.process.start_time,other_vendor_or_nested,entity_target_generic
+sentinel_one,unified_alert,expected_json,packages/sentinel_one/data_stream/unified_alert/_dev/test/pipeline/test-pipeline-unified-alert.log-expected.json,0,target_time,other_vendor_or_nested,entity_target_generic
+sentinel_one,unified_alert,expected_json,packages/sentinel_one/data_stream/unified_alert/_dev/test/pipeline/test-pipeline-unified-alert.log-expected.json,0,target_user,other_vendor_or_nested,likely_user_target_or_entity
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,230,relationships.attributes.target_file,other_vendor_or_nested,entity_target_generic
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,232,relationships.attributes.target_reference,other_vendor_or_nested,entity_target_generic
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,234,relationships.attributes.target_runtime,other_vendor_or_nested,entity_target_generic
+snyk,issues,fields_yml_nested,packages/snyk/data_stream/issues/fields/fields.yml,295,relationships.relationships.target,other_vendor_or_nested,entity_target_generic
+snyk,issues,ingest_pipeline,packages/snyk/data_stream/issues/elasticsearch/ingest_pipeline/default.yml,165,snyk.issues.relationships.scan_item.data.relationships.target.links.related,vendor_root,entity_target_generic
+snyk,issues,ingest_pipeline,packages/snyk/data_stream/issues/elasticsearch/ingest_pipeline/default.yml,166,snyk.issues.relationships.scan_item.data.relationships.target.links.related.href,vendor_root,entity_target_generic
+snyk,audit_logs,expected_json,packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+snyk,audit_logs,expected_json,packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json,0,targetFile,other_vendor_or_nested,entity_target_generic
+snyk,audit_logs,expected_json,packages/snyk/data_stream/audit_logs/_dev/test/pipeline/test-snyk-audit.json-expected.json,0,targetId,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target_file,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target_reference,other_vendor_or_nested,entity_target_generic
+snyk,issues,expected_json,packages/snyk/data_stream/issues/_dev/test/pipeline/test-snyk-issues.json-expected.json,0,target_runtime,other_vendor_or_nested,entity_target_generic
+sophos,xg,fields_yml_nested,packages/sophos/data_stream/xg/fields/fields.yml,691,sophos.xg.target,vendor_root,entity_target_generic
+sophos,xg,expected_json,packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-18-5-idp.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sophos,xg,expected_json,packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+splunk,alert,fields_yml_nested,packages/splunk/data_stream/alert/fields/fields.yml,23,splunk.alert.Target_Account_Name,vendor_root,entity_target_generic
+splunk,alert,fields_yml_nested,packages/splunk/data_stream/alert/fields/fields.yml,109,splunk.alert.breach_target_references,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,1993,json.assets.target_domain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2003,json.assets.target_subdomain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2013,json.assets.target_url,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,445,json.target_domain,other_vendor_or_nested,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,428,json.target_domain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,455,json.target_subdomain,other_vendor_or_nested,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,438,json.target_subdomain,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,465,json.target_url,other_vendor_or_nested,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,448,json.target_url,other_vendor_or_nested,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,687,spycloud.breach_catalog.assets.target,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,1995,spycloud.breach_catalog.assets.target.domain,vendor_root,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,690,spycloud.breach_catalog.assets.target.domain,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2005,spycloud.breach_catalog.assets.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,693,spycloud.breach_catalog.assets.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_catalog,ingest_pipeline,packages/spycloud/data_stream/breach_catalog/elasticsearch/ingest_pipeline/default.yml,2015,spycloud.breach_catalog.assets.target.url,vendor_root,entity_target_generic
+spycloud,breach_catalog,fields_yml_nested,packages/spycloud/data_stream/breach_catalog/fields/fields.yml,696,spycloud.breach_catalog.assets.target.url,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,154,spycloud.breach_record.target,vendor_root,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,447,spycloud.breach_record.target.domain,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,157,spycloud.breach_record.target.domain,vendor_root,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,457,spycloud.breach_record.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,160,spycloud.breach_record.target.subdomain,vendor_root,entity_target_generic
+spycloud,breach_record,ingest_pipeline,packages/spycloud/data_stream/breach_record/elasticsearch/ingest_pipeline/default.yml,467,spycloud.breach_record.target.url,vendor_root,entity_target_generic
+spycloud,breach_record,fields_yml_nested,packages/spycloud/data_stream/breach_record/fields/fields.yml,163,spycloud.breach_record.target.url,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,145,spycloud.compass.target,vendor_root,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,430,spycloud.compass.target.domain,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,148,spycloud.compass.target.domain,vendor_root,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,440,spycloud.compass.target.subdomain,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,151,spycloud.compass.target.subdomain,vendor_root,entity_target_generic
+spycloud,compass,ingest_pipeline,packages/spycloud/data_stream/compass/elasticsearch/ingest_pipeline/default.yml,450,spycloud.compass.target.url,vendor_root,entity_target_generic
+spycloud,compass,fields_yml_nested,packages/spycloud/data_stream/compass/fields/fields.yml,154,spycloud.compass.target.url,vendor_root,entity_target_generic
+spycloud,breach_catalog,expected_json,packages/spycloud/data_stream/breach_catalog/_dev/test/pipeline/test-breach-catalog.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+spycloud,breach_record,expected_json,packages/spycloud/data_stream/breach_record/_dev/test/pipeline/test-breach-record.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+spycloud,compass,expected_json,packages/spycloud/data_stream/compass/_dev/test/pipeline/test-compass.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+suricata,eve,fields_yml_nested,packages/suricata/data_stream/eve/fields/fields.yml,106,alert.attack_target,other_vendor_or_nested,entity_target_generic
+suricata,eve,expected_json,packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-metadata.log-expected.json,0,attack_target,other_vendor_or_nested,entity_target_generic
+suricata,eve,ingest_pipeline,packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml,463,suricata.eve.alert.attack_target,vendor_root,entity_target_generic
+suricata,eve,ingest_pipeline,packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml,462,suricata.eve.alert.metadata.attack_target,vendor_root,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/fields.yml,5626,ses.rule_criteria_target,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/fields.yml,6187,ses.target,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/fields.yml,6190,ses.target_name,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,57,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,59,winlog.event_data.TargetName,other_vendor_or_nested,entity_target_generic
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,61,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+symantec_endpoint_security,event,fields_yml_nested,packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml,63,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+sysdig,cspm,fields_yml_nested,packages/sysdig/data_stream/cspm/fields/fields.yml,65,sysdig.cspm.control.target,vendor_root,entity_target_generic
+sysdig,cspm,expected_json,packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,224,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,ingest_pipeline,packages/sysmon_linux/data_stream/log/elasticsearch/ingest_pipeline/default.yml,550,winlog.event_data.TargetFilename,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,226,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,228,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,230,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,232,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,234,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+sysmon_linux,log,fields_yml_nested,packages/sysmon_linux/data_stream/log/fields/winlog.yml,236,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json,0,RelativeTargetName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4675.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4690.json-expected.json,0,TargetHandleId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-5379.json-expected.json,0,TargetName,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4690.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4704.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4705.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4675.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4742.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4793.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4675.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4627.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4675.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4704.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4705.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4738.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4793.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4797.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4800.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4801.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4802.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-4803.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-5136-objectdn-escaped-comma.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-4738.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+system,security,expected_json,packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+system,security,ingest_pipeline,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,4413,user.target.name,ecs_top_level,likely_user_target_or_entity
+system,security,ingest_pipeline,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,4419,winlog.event_data.NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,388,winlog.event_data.NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,ingest_pipeline,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,4414,winlog.event_data.OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,430,winlog.event_data.OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,520,winlog.event_data.RelativeTargetName,other_vendor_or_nested,entity_target_generic
+system,application,fields_yml_nested,packages/system/data_stream/application/fields/winlog.yml,211,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,654,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,system,fields_yml_nested,packages/system/data_stream/system/fields/winlog.yml,211,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+system,application,fields_yml_nested,packages/system/data_stream/application/fields/winlog.yml,213,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,656,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+system,system,fields_yml_nested,packages/system/data_stream/system/fields/winlog.yml,213,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+system,application,fields_yml_nested,packages/system/data_stream/application/fields/winlog.yml,215,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,658,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+system,system,fields_yml_nested,packages/system/data_stream/system/fields/winlog.yml,215,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+system,application,fields_yml_nested,packages/system/data_stream/application/fields/winlog.yml,217,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,ingest_pipeline,packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml,3822,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,660,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,system,fields_yml_nested,packages/system/data_stream/system/fields/winlog.yml,217,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,662,winlog.event_data.TargetName,other_vendor_or_nested,entity_target_generic
+system,application,fields_yml_nested,packages/system/data_stream/application/fields/winlog.yml,219,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,664,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+system,system,fields_yml_nested,packages/system/data_stream/system/fields/winlog.yml,219,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,666,winlog.event_data.TargetSid,other_vendor_or_nested,entity_target_generic
+system,application,fields_yml_nested,packages/system/data_stream/application/fields/winlog.yml,221,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,668,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,system,fields_yml_nested,packages/system/data_stream/system/fields/winlog.yml,221,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+system,application,fields_yml_nested,packages/system/data_stream/application/fields/winlog.yml,223,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,security,fields_yml_nested,packages/system/data_stream/security/fields/winlog.yml,670,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+system,system,fields_yml_nested,packages/system/data_stream/system/fields/winlog.yml,223,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details_whats_actions.yml,34,_action.target.file.modification_time,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details_whats_actions.yml,76,_action.target.file.size_bytes,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details_whats.yml,156,_what.artifact_activity.acting_artifact.is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-deep.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-match-details-empty-map-value.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-new-default.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-threat-response.log-expected.json,0,is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,126,match_details.finding.whats.acting_artifact.is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,359,match_details.finding.whats.relevant_actions.is_intel_target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_flat,packages/tanium/data_stream/threat_response/fields/fields.yml,317,relevant_actions.target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,915,state.target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,918,state.target.eid,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,fields_yml_nested,packages/tanium/data_stream/threat_response/fields/fields.yml,921,state.target.hostname,other_vendor_or_nested,likely_host_target_or_entity
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/match_details.yml,205,tanium.threat_response.match_details.finding.whats.artifact_activity.relevant_actions.target.file.size_bytes,vendor_root,entity_target_generic
+tanium,threat_response,ingest_pipeline,packages/tanium/data_stream/threat_response/elasticsearch/ingest_pipeline/default.yml,192,tanium.threat_response.state.target.hostname,vendor_root,likely_host_target_or_entity
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-deep.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-match-details-empty-map-value.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-new-default.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tanium,threat_response,expected_json,packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-threat-response.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+teleport,audit,fields_yml_nested,packages/teleport/data_stream/audit/fields/fields.yml,652,dynamodb.target,other_vendor_or_nested,entity_target_generic
+teleport,audit,fields_yml_nested,packages/teleport/data_stream/audit/fields/fields.yml,631,elasticsearch.target,other_vendor_or_nested,entity_target_generic
+teleport,audit,fields_yml_nested,packages/teleport/data_stream/audit/fields/fields.yml,645,opensearch.target,other_vendor_or_nested,entity_target_generic
+teleport,audit,expected_json,packages/teleport/data_stream/audit/_dev/test/pipeline/test-teleport-all-events.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,1402,teleport.audit.database.dynamodb.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,1360,teleport.audit.database.elasticsearch.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,1396,teleport.audit.database.opensearch.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,305,teleport.audit.lock.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,701,teleport.audit.sftp.target_path,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,303,teleport.audit.target,vendor_root,entity_target_generic
+teleport,audit,ingest_pipeline,packages/teleport/data_stream/audit/elasticsearch/ingest_pipeline/event-groups.yml,700,teleport.audit.target_path,vendor_root,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1204,json.plugin.vpr_v2.targeted_industries,other_vendor_or_nested,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1209,json.plugin.vpr_v2.targeted_regions,other_vendor_or_nested,entity_target_generic
+tenable_io,vulnerability,fields_yml_nested,packages/tenable_io/data_stream/vulnerability/fields/fields.yml,492,plugin.vpr_v2.targeted_industries,other_vendor_or_nested,entity_target_generic
+tenable_io,vulnerability,fields_yml_nested,packages/tenable_io/data_stream/vulnerability/fields/fields.yml,495,plugin.vpr_v2.targeted_regions,other_vendor_or_nested,entity_target_generic
+tenable_io,scan,fields_yml_nested,packages/tenable_io/data_stream/scan/fields/fields.yml,104,scan_details.target,other_vendor_or_nested,entity_target_generic
+tenable_io,audit,expected_json,packages/tenable_io/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tenable_io,scan,expected_json,packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,41,tenable_io.audit.target,vendor_root,entity_target_generic
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,319,tenable_io.audit.target.id,vendor_root,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,44,tenable_io.audit.target.id,vendor_root,entity_target_generic
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,331,tenable_io.audit.target.name,vendor_root,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,47,tenable_io.audit.target.name,vendor_root,entity_target_generic
+tenable_io,audit,fields_yml_nested,packages/tenable_io/data_stream/audit/fields/fields.yml,50,tenable_io.audit.target.type,vendor_root,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1206,tenable_io.vulnerability.plugin.vpr_v2.targeted_industries,vendor_root,entity_target_generic
+tenable_io,vulnerability,ingest_pipeline,packages/tenable_io/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml,1211,tenable_io.vulnerability.plugin.vpr_v2.targeted_regions,vendor_root,entity_target_generic
+tenable_io,scan,expected_json,packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json,0,total_targets,other_vendor_or_nested,entity_target_generic
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,336,user.target.email,ecs_top_level,likely_user_target_or_entity
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,317,user.target.id,ecs_top_level,likely_user_target_or_entity
+tenable_io,audit,ingest_pipeline,packages/tenable_io/data_stream/audit/elasticsearch/ingest_pipeline/default.yml,329,user.target.name,ecs_top_level,likely_user_target_or_entity
+ti_crowdstrike,intel,ingest_pipeline,packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml,301,json.targets,other_vendor_or_nested,entity_target_generic
+ti_crowdstrike,intel,expected_json,packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+ti_crowdstrike,intel,ingest_pipeline,packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml,303,ti_crowdstrike.intel.targets,vendor_root,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1530,_ingest._value.target_file_name,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1542,_ingest._value.target_object,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1528,_ingest._value.values.TargetFilename,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,ingest_pipeline,packages/ti_google_threat_intelligence/data_stream/ioc_stream/elasticsearch/ingest_pipeline/default.yml,1540,_ingest._value.values.TargetObject,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,fields_yml_nested,packages/ti_google_threat_intelligence/data_stream/ioc_stream/fields/fields.yml,920,gti.ioc_stream.attributes.sigma_analysis_results.match_context.target_file_name,other_vendor_or_nested,entity_target_generic
+ti_google_threat_intelligence,ioc_stream,fields_yml_nested,packages/ti_google_threat_intelligence/data_stream/ioc_stream/fields/fields.yml,923,gti.ioc_stream.attributes.sigma_analysis_results.match_context.target_object,other_vendor_or_nested,entity_target_generic
+ti_otx,pulses_subscribed,fields_yml_nested,packages/ti_otx/data_stream/pulses_subscribed/fields/fields.yml,71,otx.pulse.targeted_countries,other_vendor_or_nested,entity_target_generic
+ti_otx,pulses_subscribed,expected_json,packages/ti_otx/data_stream/pulses_subscribed/_dev/test/pipeline/test-otx-pulses-subscribed-json.log-expected.json,0,targeted_countries,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,277,recordedfuture.playbook_alert.panel_evidence_summary.summary.targets,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,280,recordedfuture.playbook_alert.panel_evidence_summary.summary.targets.name,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,527,recordedfuture.playbook_alert.panel_status.targets,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,fields_yml_nested,packages/ti_recordedfuture/data_stream/playbook_alert/fields/fields.yml,529,recordedfuture.playbook_alert.panel_status.targets_str,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,expected_json,packages/ti_recordedfuture/data_stream/playbook_alert/_dev/test/pipeline/test-playbook-alert.log-expected.json,0,target_entities,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,expected_json,packages/ti_recordedfuture/data_stream/playbook_alert/_dev/test/pipeline/test-playbook-alert.log-expected.json,0,targets,other_vendor_or_nested,entity_target_generic
+ti_recordedfuture,playbook_alert,expected_json,packages/ti_recordedfuture/data_stream/playbook_alert/_dev/test/pipeline/test-playbook-alert.log-expected.json,0,targets_str,other_vendor_or_nested,entity_target_generic
+ti_threatq,threat,expected_json,packages/ti_threatq/data_stream/threat/_dev/test/pipeline/test-threatq-no-preserve-ndjson.log-expected.json,0,related_exploit_target_count,other_vendor_or_nested,entity_target_generic
+ti_threatq,threat,ingest_pipeline,packages/ti_threatq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml,904,threatq.related_exploit_target_count,other_vendor_or_nested,entity_target_generic
+ti_threatq,threat,fields_yml_nested,packages/ti_threatq/data_stream/threat/fields/fields.yml,91,threatq.related_exploit_target_count,other_vendor_or_nested,entity_target_generic
+tomcat,log,fields_yml_nested,packages/tomcat/data_stream/log/fields/fields.yml,553,rsa.misc.context_target,other_vendor_or_nested,entity_target_generic
+tomcat,log,fields_yml_nested,packages/tomcat/data_stream/log/fields/fields.yml,893,rsa.misc.cs_targetmodule,other_vendor_or_nested,entity_target_generic
+tomcat,log,fields_yml_nested,packages/tomcat/data_stream/log/fields/fields.yml,576,rsa.misc.vm_target,other_vendor_or_nested,entity_target_generic
+trellix_edr_cloud,event,ingest_pipeline,packages/trellix_edr_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,756,json.targetPid,other_vendor_or_nested,entity_target_generic
+trellix_edr_cloud,event,expected_json,packages/trellix_edr_cloud/data_stream/event/_dev/test/pipeline/test-event.log-expected.json,0,target_pid,other_vendor_or_nested,entity_target_generic
+trellix_edr_cloud,event,ingest_pipeline,packages/trellix_edr_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,758,trellix_edr_cloud.event.target_pid,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,221,json.attributes.targetfilename,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,557,json.attributes.targethash,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,61,json.attributes.targethostname,other_vendor_or_nested,likely_host_target_or_entity
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,84,json.attributes.targetipv4,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,104,json.attributes.targetipv6,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,135,json.attributes.targetmac,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,159,json.attributes.targetport,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,561,json.attributes.targetprocessname,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,565,json.attributes.targetprotocol,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,174,json.attributes.targetusername,other_vendor_or_nested,likely_user_target_or_entity
+trellix_epo_cloud,event,expected_json,packages/trellix_epo_cloud/data_stream/event/_dev/test/pipeline/test-pipeline-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,85,trellix_epo_cloud.event.attributes.target,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,222,trellix_epo_cloud.event.attributes.target.file_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,88,trellix_epo_cloud.event.attributes.target.file_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,558,trellix_epo_cloud.event.attributes.target.hash,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,90,trellix_epo_cloud.event.attributes.target.hash,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,62,trellix_epo_cloud.event.attributes.target.hostname,vendor_root,likely_host_target_or_entity
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,92,trellix_epo_cloud.event.attributes.target.hostname,vendor_root,likely_host_target_or_entity
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,86,trellix_epo_cloud.event.attributes.target.ipv4,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,94,trellix_epo_cloud.event.attributes.target.ipv4,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,116,trellix_epo_cloud.event.attributes.target.ipv6,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,96,trellix_epo_cloud.event.attributes.target.ipv6,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,151,trellix_epo_cloud.event.attributes.target.mac,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,98,trellix_epo_cloud.event.attributes.target.mac,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,161,trellix_epo_cloud.event.attributes.target.port,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,100,trellix_epo_cloud.event.attributes.target.port,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,562,trellix_epo_cloud.event.attributes.target.process_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,102,trellix_epo_cloud.event.attributes.target.process_name,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,566,trellix_epo_cloud.event.attributes.target.protocol,vendor_root,entity_target_generic
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,104,trellix_epo_cloud.event.attributes.target.protocol,vendor_root,entity_target_generic
+trellix_epo_cloud,event,ingest_pipeline,packages/trellix_epo_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml,175,trellix_epo_cloud.event.attributes.target.user_name,vendor_root,likely_user_target_or_entity
+trellix_epo_cloud,event,fields_yml_nested,packages/trellix_epo_cloud/data_stream/event/fields/fields.yml,106,trellix_epo_cloud.event.attributes.target.user_name,vendor_root,likely_user_target_or_entity
+trend_micro_vision_one,endpoint_activity,expected_json,packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+trend_micro_vision_one,endpoint_activity,ingest_pipeline,packages/trend_micro_vision_one/data_stream/endpoint_activity/elasticsearch/ingest_pipeline/default.yml,1150,user.target.name,ecs_top_level,likely_user_target_or_entity
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,640,cef.extensions.TrendMicroDsMalwareTarget,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,625,cef.extensions.TrendMicroDsMalwareTargetCount,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,635,cef.extensions.TrendMicroDsMalwareTargetType,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,557,cef.extensions.target,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,562,cef.extensions.targetID,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,expected_json,packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,229,trendmicro.deep_security.target,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,564,trendmicro.deep_security.target.id,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,232,trendmicro.deep_security.target.id,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,559,trendmicro.deep_security.target.value,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,235,trendmicro.deep_security.target.value,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,277,trendmicro.deep_security.trendmicro.ds_malware_target,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,627,trendmicro.deep_security.trendmicro.ds_malware_target.count,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,280,trendmicro.deep_security.trendmicro.ds_malware_target.count,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,637,trendmicro.deep_security.trendmicro.ds_malware_target.type,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,283,trendmicro.deep_security.trendmicro.ds_malware_target.type,vendor_root,entity_target_generic
+trendmicro,deep_security,ingest_pipeline,packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml,642,trendmicro.deep_security.trendmicro.ds_malware_target.value,vendor_root,entity_target_generic
+trendmicro,deep_security,fields_yml_nested,packages/trendmicro/data_stream/deep_security/fields/fields.yml,286,trendmicro.deep_security.trendmicro.ds_malware_target.value,vendor_root,entity_target_generic
+unifiedlogs,,fields_yml_nested,packages/unifiedlogs/fields/apple-event.yml,23,apple_event.target_process,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-account-detection.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-account-lockdown.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-account-scoring.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,expected_json,packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-host-detection.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,168,user.target.email,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,78,user.target.id,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,44,user.target.id,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml,167,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml,174,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml,63,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml,87,user.target.name,ecs_top_level,likely_user_target_or_entity
+vectra_detect,log,ingest_pipeline,packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml,286,user.target.name,ecs_top_level,likely_user_target_or_entity
+watchguard_firebox,log,expected_json,packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-event.log-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+watchguard_firebox,log,fields_yml_nested,packages/watchguard_firebox/data_stream/log/fields/fields.yml,569,watchguard_firebox.log.target,vendor_root,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5145.json-expected.json,0,RelativeTargetName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4742.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003-common-name.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,expected_json,packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json,0,TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003-common-name.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,expected_json,packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,expected_json,packages/windows/data_stream/applocker_packaged_app_deployment/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-deployment.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,expected_json,packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json,0,TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4742.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetSid,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003-common-name.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,expected_json,packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,expected_json,packages/windows/data_stream/applocker_msi_and_script/_dev/test/pipeline/test-events-applocker-msi-and-script-8006.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,expected_json,packages/windows/data_stream/applocker_packaged_app_deployment/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-deployment.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,expected_json,packages/windows/data_stream/applocker_packaged_app_execution/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json,0,TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4742.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json,0,TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738-malformed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4738.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5136-objectdn-escaped-comma.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+windows,forwarded,expected_json,packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5145.json-expected.json,0,target_path,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3928,user.target.name,ecs_top_level,likely_user_target_or_entity
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3934,winlog.event_data.NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,274,winlog.event_data.NewTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3929,winlog.event_data.OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,316,winlog.event_data.OldTargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,446,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,241,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,213,winlog.event_data.TargetDomainName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml,603,winlog.event_data.TargetFilename,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,ingest_pipeline,packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml,603,winlog.event_data.TargetFilename,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,243,winlog.event_data.TargetImage,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,448,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,245,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,215,winlog.event_data.TargetInfo,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,450,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,247,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,217,winlog.event_data.TargetLogonGuid,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml,3418,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,452,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,249,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,219,winlog.event_data.TargetLogonId,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml,1435,winlog.event_data.TargetProcessGUID,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,ingest_pipeline,packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml,1435,winlog.event_data.TargetProcessGUID,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,251,winlog.event_data.TargetProcessGUID,other_vendor_or_nested,entity_target_generic
+windows,forwarded,ingest_pipeline,packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml,1434,winlog.event_data.TargetProcessGuid,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,ingest_pipeline,packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml,1434,winlog.event_data.TargetProcessGuid,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,253,winlog.event_data.TargetProcessId,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,454,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,255,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,221,winlog.event_data.TargetServerName,other_vendor_or_nested,entity_target_generic
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,456,winlog.event_data.TargetSid,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,458,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,257,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,223,winlog.event_data.TargetUserName,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,forwarded,fields_yml_nested,packages/windows/data_stream/forwarded/fields/winlog.yml,460,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell,fields_yml_nested,packages/windows/data_stream/powershell/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,powershell_operational,fields_yml_nested,packages/windows/data_stream/powershell_operational/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,sysmon_operational,fields_yml_nested,packages/windows/data_stream/sysmon_operational/fields/winlog.yml,259,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,225,winlog.event_data.TargetUserSid,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,ingest_pipeline,packages/windows/data_stream/windows_defender/elasticsearch/ingest_pipeline/default.yml,226,winlog.event_data.Target_Commandline,other_vendor_or_nested,entity_target_generic
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,360,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,513,winlog.user_data.TargetLogonId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,ingest_pipeline,packages/windows/data_stream/applocker_exe_and_dll/elasticsearch/ingest_pipeline/default.yml,145,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,ingest_pipeline,packages/windows/data_stream/applocker_msi_and_script/elasticsearch/ingest_pipeline/default.yml,145,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,ingest_pipeline,packages/windows/data_stream/applocker_packaged_app_deployment/elasticsearch/ingest_pipeline/default.yml,137,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,ingest_pipeline,packages/windows/data_stream/applocker_packaged_app_execution/elasticsearch/ingest_pipeline/default.yml,137,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,362,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,515,winlog.user_data.TargetProcessId,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_exe_and_dll,fields_yml_nested,packages/windows/data_stream/applocker_exe_and_dll/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_msi_and_script,fields_yml_nested,packages/windows/data_stream/applocker_msi_and_script/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_deployment,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_deployment/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,applocker_packaged_app_execution,fields_yml_nested,packages/windows/data_stream/applocker_packaged_app_execution/fields/winlog.yml,358,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+windows,windows_defender,fields_yml_nested,packages/windows/data_stream/windows_defender/fields/winlog.yml,511,winlog.user_data.TargetUser,other_vendor_or_nested,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,239,winlog.event_data.NewTargetUserName,vendor_root,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,275,winlog.event_data.OldTargetUserName,vendor_root,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,399,winlog.event_data.TargetDomainName,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,401,winlog.event_data.TargetInfo,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,403,winlog.event_data.TargetLogonGuid,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,405,winlog.event_data.TargetLogonId,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,407,winlog.event_data.TargetServerName,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,409,winlog.event_data.TargetSid,vendor_root,entity_target_generic
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,411,winlog.event_data.TargetUserName,vendor_root,likely_user_target_or_entity
+winlog,,fields_yml_nested,packages/winlog/fields/winlog.yml,413,winlog.event_data.TargetUserSid,vendor_root,likely_user_target_or_entity
+withsecure_elements,security_events,expected_json,packages/withsecure_elements/data_stream/security_events/_dev/test/pipeline/test-security-event.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,226,withsecure_elements.security_events.details.targetCommandLine,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,139,withsecure_elements.security_events.details.targetData,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,211,withsecure_elements.security_events.details.targetPath,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,214,withsecure_elements.security_events.details.targetSha1,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,217,withsecure_elements.security_events.details.targetSha256,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,55,withsecure_elements.security_events.target,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,59,withsecure_elements.security_events.target.id,vendor_root,entity_target_generic
+withsecure_elements,security_events,fields_yml_nested,packages/withsecure_elements/data_stream/security_events/fields/fields.yml,62,withsecure_elements.security_events.target.name,vendor_root,entity_target_generic
+zoom,webhook,expected_json,packages/zoom/data_stream/webhook/_dev/test/pipeline/test-account.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+zoom,webhook,expected_json,packages/zoom/data_stream/webhook/_dev/test/pipeline/test-user.json-expected.json,0,target,other_vendor_or_nested,entity_target_generic
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,54,user.target.email,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,128,user.target.email,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,70,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,136,user.target.full_name,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,50,user.target.id,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml,120,user.target.id,ecs_top_level,likely_user_target_or_entity
+zoom,webhook,ingest_pipeline,packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml,74,user.target.name,ecs_top_level,likely_user_target_or_entity
diff --git a/dev/target-fields-audit/out/vendor_target_special_cases_report.md b/dev/target-fields-audit/out/vendor_target_special_cases_report.md
new file mode 100644
index 00000000000..295689dafc1
--- /dev/null
+++ b/dev/target-fields-audit/out/vendor_target_special_cases_report.md
@@ -0,0 +1,68 @@
+# Vendor / integration `*target*` special cases
+
+- **git HEAD:** `d43ff234d21161ef4cbbc25d56415e4aa72680d9`
+- **generated (UTC):** 2026-05-13T15:48:54Z
+- **deduplicated field hits:** 1953
+- **unique packages with any hit:** 114
+- **unique packages with vendor-namespaced `*target*` paths:** 60
+
+## What was scanned
+
+| Surface | Scope |
+| --- | --- |
+| `fields/**/*.yml` | Flat `- name: a.b.target...` and nested `- name:` stack paths containing `target`. |
+| `elasticsearch/ingest_pipeline/*.{yml,yaml}` | `target_field`, `field`, `copy_from` values containing `target`. |
+| `*_dev/test/pipeline/*expected.json` | Quoted dotted JSON keys containing `target` (truncated read). |
+
+## Namespace classification
+
+| `namespace_class` | Meaning |
+| --- | --- |
+| `vendor_root` / `vendor_namespaced` | First path segment matches the integration package slug (e.g. `okta.target`). |
+| `ecs_top_level` | Starts with common ECS top-level field (e.g. `file.target_path`). |
+| `other_vendor_or_nested` | Other dotted paths (nested vendor, transforms, rare shapes). |
+
+## `suggest_bucket` (heuristic only)
+
+Keyword-based guess for runtime `CASE` prioritisation — **not** a product mapping decision.
+
+## Counts by namespace_class
+
+- **other_vendor_or_nested:** 1323
+- **vendor_root:** 531
+- **ecs_top_level:** 99
+
+## Machine-readable outputs
+
+- All hits: [`vendor_target_special_cases.csv`](vendor_target_special_cases.csv)
+- Triage playbook: [`../VENDOR_TARGET_ANALYSIS_PLAN.md`](../VENDOR_TARGET_ANALYSIS_PLAN.md)
+
+## Packages with most distinct `field_path` values (top 25)
+
+| package | distinct_field_paths |
+| --- | ---: |
+| google_secops | 67 |
+| canva | 63 |
+| sentinel_one | 62 |
+| azure | 50 |
+| aws | 48 |
+| crowdstrike | 42 |
+| jamf_protect | 37 |
+| windows | 32 |
+| jamf_pro | 31 |
+| gcp | 27 |
+| google_workspace | 27 |
+| system | 26 |
+| eset_protect | 22 |
+| trellix_epo_cloud | 22 |
+| o365 | 19 |
+| osquery_manager | 19 |
+| spycloud | 19 |
+| cyberark_epm | 18 |
+| m365_defender | 17 |
+| cisco_duo | 16 |
+| mongodb_atlas | 16 |
+| tenable_io | 16 |
+| microsoft_intune | 14 |
+| okta | 13 |
+| tanium | 13 |
\ No newline at end of file
diff --git a/dev/target-fields-audit/scan.py b/dev/target-fields-audit/scan.py
new file mode 100755
index 00000000000..c981fe08f2c
--- /dev/null
+++ b/dev/target-fields-audit/scan.py
@@ -0,0 +1,436 @@
+#!/usr/bin/env python3
+"""
+Scan Elastic integrations under packages/ for ECS-style *.target.* field references.
+
+See SCOPE.md and OUTPUT.md in this directory.
+"""
+
+from __future__ import annotations
+
+import argparse
+import csv
+import subprocess
+import sys
+from collections import defaultdict
+from datetime import datetime, timezone
+from pathlib import Path
+
+_SCRIPT_DIR = Path(__file__).resolve().parent
+if str(_SCRIPT_DIR) not in sys.path:
+    sys.path.insert(0, str(_SCRIPT_DIR))
+import manifest_util  # noqa: E402
+
+PREFIXES = (
+    "host.target.",
+    "user.target.",
+    "service.target.",
+    "entity.target.",
+)
+
+
+def classify_tier(rel_path: str) -> str | None:
+    p = rel_path.replace("\\", "/")
+    if "/elasticsearch/ingest_pipeline/" in p and (p.endswith(".yml") or p.endswith(".yaml")):
+        return "A"
+    if "/fields/" in p and p.endswith(".yml"):
+        return "B"
+    if "/kibana/" in p and p.endswith(".json"):
+        return "C"
+    return None
+
+
+def parse_package_stream(rel_under_packages: str) -> tuple[str, str]:
+    parts = rel_under_packages.split("/")
+    package = parts[0] if parts else ""
+    data_stream = ""
+    try:
+        i = parts.index("data_stream")
+        if i + 1 < len(parts):
+            data_stream = parts[i + 1]
+    except ValueError:
+        pass
+    return package, data_stream
+
+
+def line_for_prefix_search(line: str) -> str:
+    """
+    Drop typical YAML end-of-line comments (' <space># ...') so we do not count
+    prefixes that appear only in comments (heuristic; not a full YAML lexer).
+    """
+    idx = line.find(" #")
+    if idx != -1:
+        return line[:idx]
+    return line
+
+
+def line_matches_prefixes(line: str) -> list[str]:
+    hay = line_for_prefix_search(line)
+    found: list[str] = []
+    for pref in PREFIXES:
+        if pref in hay:
+            found.append(pref)
+    return found
+
+
+def should_skip_line(line: str, ignore_whole_line_comments: bool) -> bool:
+    if not ignore_whole_line_comments:
+        return False
+    s = line.lstrip()
+    return s.startswith("#")
+
+
+def iter_scan_files(packages_dir: Path, only_packages: set[str] | None) -> list[Path]:
+    files: list[Path] = []
+    for pkg_dir in sorted(packages_dir.iterdir()):
+        if not pkg_dir.is_dir():
+            continue
+        if only_packages is not None and pkg_dir.name not in only_packages:
+            continue
+        for path in pkg_dir.rglob("*"):
+            if not path.is_file():
+                continue
+            try:
+                rel = path.relative_to(packages_dir.parent)
+            except ValueError:
+                continue
+            rel_s = str(rel).replace("\\", "/")
+            if not rel_s.startswith("packages/"):
+                continue
+            rel_under = rel_s[len("packages/") :]
+            if classify_tier(rel_under) is None:
+                continue
+            files.append(path)
+    return files
+
+
+def scan(
+    repo_root: Path,
+    packages_dir: Path,
+    only_packages: set[str] | None,
+    ignore_whole_line_comments: bool,
+    max_snippet: int,
+) -> list[dict[str, str]]:
+    rows: list[dict[str, str]] = []
+    rel_repo = lambda p: str(p.relative_to(repo_root)).replace("\\", "/")
+
+    for path in iter_scan_files(packages_dir, only_packages):
+        rel_full = rel_repo(path)
+        rel_under = rel_full[len("packages/") :]
+        tier = classify_tier(rel_under)
+        assert tier is not None
+        package, data_stream = parse_package_stream(rel_under)
+
+        try:
+            text = path.read_text(encoding="utf-8", errors="replace")
+        except OSError as e:
+            print(f"warn: skip read {rel_full}: {e}", file=sys.stderr)
+            continue
+
+        for lineno, line in enumerate(text.splitlines(), start=1):
+            if should_skip_line(line, ignore_whole_line_comments):
+                continue
+            matches = line_matches_prefixes(line)
+            if not matches:
+                continue
+            snippet = line.strip()
+            if len(snippet) > max_snippet:
+                snippet = snippet[: max_snippet - 3] + "..."
+            for pref in matches:
+                rows.append(
+                    {
+                        "tier": tier,
+                        "package": package,
+                        "data_stream": data_stream,
+                        "file": rel_full,
+                        "line": str(lineno),
+                        "matched_prefix": pref,
+                        "snippet": snippet,
+                    }
+                )
+    rows.sort(key=lambda r: (r["package"], r["file"], int(r["line"]), r["matched_prefix"]))
+    return rows
+
+
+def git_head(repo_root: Path) -> str:
+    try:
+        out = subprocess.check_output(
+            ["git", "-C", str(repo_root), "rev-parse", "HEAD"],
+            stderr=subprocess.DEVNULL,
+            text=True,
+        )
+        return out.strip()
+    except (subprocess.CalledProcessError, FileNotFoundError):
+        return "unknown"
+
+
+def write_csv(path: Path, rows: list[dict[str, str]]) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    fieldnames = ["tier", "package", "data_stream", "file", "line", "matched_prefix", "snippet"]
+    with path.open("w", encoding="utf-8", newline="") as f:
+        w = csv.DictWriter(f, fieldnames=fieldnames, extrasaction="ignore")
+        w.writeheader()
+        w.writerows(rows)
+
+
+def count_scanned_packages(packages_dir: Path, only_packages: set[str] | None) -> int:
+    """Number of integration directories under packages/ included in this run."""
+    dirs = [p for p in packages_dir.iterdir() if p.is_dir()]
+    if only_packages is None:
+        return len(dirs)
+    return sum(1 for p in dirs if p.name in only_packages)
+
+
+def package_confidence_short(tiers: set[str]) -> str:
+    """Single-word label for table cells; see summary section 'Confidence labels'."""
+    if "A" in tiers:
+        return "high"
+    if "B" in tiers:
+        return "medium"
+    return "low"
+
+
+def tiers_compact(tiers: set[str]) -> str:
+    return "+".join(t for t in ("A", "B", "C") if t in tiers)
+
+
+def write_summary(
+    path: Path,
+    rows: list[dict[str, str]],
+    repo_root: Path,
+    packages_scanned: int,
+    top_n: int,
+    filter_note: str = "",
+) -> None:
+    sha = git_head(repo_root)
+    ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    packages_by_tier_prefix: dict[tuple[str, str], set[str]] = defaultdict(set)
+    ds_tier_a: set[tuple[str, str]] = set()
+    pkg_hits_a: dict[str, int] = defaultdict(int)
+    pkg_hits_b: dict[str, int] = defaultdict(int)
+    pkg_hits_c: dict[str, int] = defaultdict(int)
+    pkg_tiers: dict[str, set[str]] = defaultdict(set)
+    pkg_prefixes: dict[str, set[str]] = defaultdict(set)
+
+    for r in rows:
+        key = (r["tier"], r["matched_prefix"])
+        packages_by_tier_prefix[key].add(r["package"])
+        pkg_tiers[r["package"]].add(r["tier"])
+        pkg_prefixes[r["package"]].add(r["matched_prefix"])
+        if r["tier"] == "A":
+            pkg_hits_a[r["package"]] += 1
+            if r["data_stream"]:
+                ds_tier_a.add((r["package"], r["data_stream"]))
+        elif r["tier"] == "B":
+            pkg_hits_b[r["package"]] += 1
+        else:
+            pkg_hits_c[r["package"]] += 1
+
+    def md_table(headers: list[str], body_rows: list[list[str]]) -> str:
+        lines = [
+            "| " + " | ".join(headers) + " |",
+            "| " + " | ".join("---" for _ in headers) + " |",
+        ]
+        for br in body_rows:
+            lines.append("| " + " | ".join(br) + " |")
+        return "\n".join(lines)
+
+    uniq_pkg_any = sorted({r["package"] for r in rows})
+    uniq_pkg_a = {r["package"] for r in rows if r["tier"] == "A"}
+
+    def prefix_short(pref: str) -> str:
+        return pref.removesuffix(".")
+
+    lines_out: list[str] = [
+        "# ECS `*.target.*` audit summary",
+        "",
+        f"- **git HEAD:** `{sha}`",
+        f"- **generated (UTC):** {ts}",
+        f"- **integration packages scanned:** {packages_scanned}",
+        f"- **evidence rows (matches):** {len(rows)}",
+        "",
+    ]
+    if filter_note:
+        lines_out.append(f"- **filter:** {filter_note}")
+        lines_out.append("")
+    lines_out.extend(
+        [
+        "Prefixes scanned: `host.target.`, `user.target.`, `service.target.`, `entity.target.`",
+        "",
+        "## Confidence labels",
+        "",
+        "| Label | Meaning |",
+        "| --- | --- |",
+        "| **high** | At least one hit under **Tier A** (ingest pipeline YAML). Strongest signal that documents may receive these fields at ingest. |",
+        "| **medium** | Hits only under **Tier B** (field YAML). Declared schema; not proof the pipeline populates it. |",
+        "| **low** | Hits only under **Tier C** (Kibana JSON). Saved objects referencing field names; not ingest. |",
+        "",
+        "If a package has multiple tiers, the label reflects the **strongest** tier present.",
+        "",
+        "## Unique packages by tier and prefix",
+        "",
+        ]
+    )
+
+    for tier in ("A", "B", "C"):
+        tier_name = {"A": "Pipeline", "B": "Fields", "C": "Kibana JSON"}[tier]
+        lines_out.append(f"### Tier {tier} — {tier_name}")
+        lines_out.append("")
+        body: list[list[str]] = []
+        for pref in PREFIXES:
+            n = len(packages_by_tier_prefix.get((tier, pref), set()))
+            body.append([pref, str(n)])
+        lines_out.append(md_table(["matched_prefix", "unique_packages"], body))
+        lines_out.append("")
+
+    lines_out.append("## Tier A — unique (package, data_stream) pairs")
+    lines_out.append("")
+    lines_out.append(str(len(ds_tier_a)))
+    lines_out.append("")
+
+    lines_out.append("## Integrations with hits — full list")
+    lines_out.append("")
+    lines_out.append(
+        "Every package under `packages/` that produced at least one evidence row, "
+        "sorted by package name."
+    )
+    lines_out.append("")
+    full_rows: list[list[str]] = []
+    for pkg in uniq_pkg_any:
+        tiers = pkg_tiers[pkg]
+        prefs = sorted(pkg_prefixes[pkg], key=lambda p: PREFIXES.index(p) if p in PREFIXES else 99)
+        pref_cell = ", ".join(prefix_short(p) for p in prefs)
+        full_rows.append(
+            [
+                pkg,
+                package_confidence_short(tiers),
+                tiers_compact(tiers),
+                str(pkg_hits_a[pkg]),
+                str(pkg_hits_b[pkg]),
+                str(pkg_hits_c[pkg]),
+                pref_cell,
+            ]
+        )
+    lines_out.append(
+        md_table(
+            [
+                "package",
+                "confidence",
+                "tiers",
+                "rows_A",
+                "rows_B",
+                "rows_C",
+                "prefixes_seen",
+            ],
+            full_rows,
+        )
+    )
+    lines_out.append("")
+
+    if top_n > 0:
+        lines_out.append(f"## Tier A — top {top_n} packages by evidence row count (optional quick view)")
+        lines_out.append("")
+        ranked = sorted(pkg_hits_a.items(), key=lambda x: (-x[1], x[0]))[:top_n]
+        lines_out.append(md_table(["package", "tier_A_rows"], [[p, str(c)] for p, c in ranked if c > 0]))
+        lines_out.append("")
+
+    lines_out.append("## Totals")
+    lines_out.append("")
+    lines_out.append(f"- **integration packages scanned:** {packages_scanned}")
+    lines_out.append(f"- **unique packages with any hit:** {len(uniq_pkg_any)}")
+    lines_out.append(f"- **unique packages with Tier A hit:** {len(uniq_pkg_a)}")
+    lines_out.append("")
+
+    path.write_text("\n".join(lines_out), encoding="utf-8")
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description="ECS *.target.* integration audit scanner")
+    ap.add_argument(
+        "--repo-root",
+        type=Path,
+        default=Path(__file__).resolve().parents[2],
+        help="Repository root (parent of packages/)",
+    )
+    ap.add_argument(
+        "--output-dir",
+        type=Path,
+        default=Path(__file__).resolve().parent / "out",
+        help="Directory for CSV and summary",
+    )
+    ap.add_argument(
+        "--only-packages",
+        type=str,
+        default="",
+        help="Comma-separated package names for pilot runs (default: all under packages/)",
+    )
+    ap.add_argument(
+        "--ignore-yaml-comments",
+        action="store_true",
+        help="Skip lines whose first non-space char is # (whole-line YAML comments only)",
+    )
+    ap.add_argument("--max-snippet", type=int, default=240)
+    ap.add_argument(
+        "--top-n",
+        type=int,
+        default=0,
+        help="If > 0, append a 'top N by Tier A rows' section (default 0: full list only)",
+    )
+    ap.add_argument(
+        "--security-only",
+        action="store_true",
+        help="Only include packages whose root manifest.yml lists category `security`",
+    )
+    args = ap.parse_args()
+
+    repo_root = args.repo_root.resolve()
+    packages_dir = repo_root / "packages"
+    if not packages_dir.is_dir():
+        print(f"error: missing packages dir: {packages_dir}", file=sys.stderr)
+        return 1
+
+    only: set[str] | None = None
+    if args.only_packages.strip():
+        only = {p.strip() for p in args.only_packages.split(",") if p.strip()}
+    if args.security_only:
+        sec = manifest_util.security_package_names(packages_dir)
+        if only is not None:
+            only = only & sec
+        else:
+            only = sec
+
+    rows = scan(
+        repo_root=repo_root,
+        packages_dir=packages_dir,
+        only_packages=only,
+        ignore_whole_line_comments=args.ignore_yaml_comments,
+        max_snippet=args.max_snippet,
+    )
+
+    out_dir = args.output_dir.resolve()
+    csv_path = out_dir / "target_fields_audit.csv"
+    md_path = out_dir / "target_fields_audit_summary.md"
+    scanned = count_scanned_packages(packages_dir, only)
+    write_csv(csv_path, rows)
+    filter_note = ""
+    if args.security_only:
+        filter_note = (
+            "Only integrations whose root `packages/<name>/manifest.yml` includes the "
+            "`security` category (Elastic catalog tag)."
+        )
+    write_summary(
+        md_path,
+        rows,
+        repo_root,
+        packages_scanned=scanned,
+        top_n=args.top_n,
+        filter_note=filter_note,
+    )
+
+    print(f"Wrote {len(rows)} rows -> {csv_path}")
+    print(f"Wrote summary -> {md_path}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/dev/target-fields-audit/stakeholder_matrix.py b/dev/target-fields-audit/stakeholder_matrix.py
new file mode 100644
index 00000000000..20ab64f3e2a
--- /dev/null
+++ b/dev/target-fields-audit/stakeholder_matrix.py
@@ -0,0 +1,182 @@
+#!/usr/bin/env python3
+"""
+Build a stakeholder matrix CSV for all integration packages.
+
+Columns:
+  package,
+  security category (Y/N),
+  observability category (Y/N),
+  other catalog categories (semicolon-separated; excludes security and observability),
+  graph visualization support (supported | missing | identified potential),
+  new strategy support (destination field) (Y/N),
+  support verified (Y/N)
+
+Data sources (under --reports-dir, default dev/target-fields-audit/out/):
+  - packages/*/manifest.yml — catalog categories
+  - target_fields_audit.csv — ECS host|user|service|entity.target.* hits by tier
+  - destination_identity_hits.csv — destination.user / destination.host in pipelines
+  - vendor_target_special_cases.csv — vendor *target* field paths (optional signal)
+
+Graph visualization support (automated heuristic):
+  - supported: Tier A pipeline evidence for ECS *.target.* (ingest maps target fields)
+  - identified potential: not Tier A, but destination-field strategy (Y) OR Tier B/C ECS
+    target only OR vendor-namespaced *target* field path in vendor CSV
+  - missing: none of the above
+
+support verified: always N (no human sign-off in this pipeline; update CSV manually).
+"""
+
+from __future__ import annotations
+
+import argparse
+import csv
+import sys
+from pathlib import Path
+
+_SCRIPT_DIR = Path(__file__).resolve().parent
+if str(_SCRIPT_DIR) not in sys.path:
+    sys.path.insert(0, str(_SCRIPT_DIR))
+
+import manifest_util  # noqa: E402
+
+
+def load_audit_packages(csv_path: Path) -> tuple[set[str], set[str], set[str]]:
+    """Returns (any_hit, tier_a, tier_bc_only)."""
+    any_hit: set[str] = set()
+    tier_a: set[str] = set()
+    tiers_by_pkg: dict[str, set[str]] = {}
+    if not csv_path.is_file():
+        return any_hit, tier_a, set()
+    with csv_path.open(encoding="utf-8", newline="") as f:
+        for row in csv.DictReader(f):
+            pkg = row["package"]
+            any_hit.add(pkg)
+            tiers_by_pkg.setdefault(pkg, set()).add(row["tier"])
+    tier_bc_only = set()
+    for pkg, tiers in tiers_by_pkg.items():
+        if "A" in tiers:
+            tier_a.add(pkg)
+        elif tiers & {"B", "C"}:
+            tier_bc_only.add(pkg)
+    return any_hit, tier_a, tier_bc_only
+
+
+def load_packages_from_csv_column(csv_path: Path, column: str = "package") -> set[str]:
+    if not csv_path.is_file():
+        return set()
+    out: set[str] = set()
+    with csv_path.open(encoding="utf-8", newline="") as f:
+        for row in csv.DictReader(f):
+            out.add(row[column])
+    return out
+
+
+def load_vendor_namespaced_packages(csv_path: Path) -> set[str]:
+    if not csv_path.is_file():
+        return set()
+    out: set[str] = set()
+    with csv_path.open(encoding="utf-8", newline="") as f:
+        for row in csv.DictReader(f):
+            nc = row.get("namespace_class", "")
+            if nc in ("vendor_root", "vendor_namespaced"):
+                out.add(row["package"])
+    return out
+
+
+def graph_support(
+    pkg: str,
+    tier_a: set[str],
+    tier_bc_only: set[str],
+    dest_strategy: set[str],
+    vendor_target: set[str],
+) -> str:
+    if pkg in tier_a:
+        return "supported"
+    if pkg in dest_strategy or pkg in tier_bc_only or pkg in vendor_target:
+        return "identified potential"
+    return "missing"
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description="Stakeholder matrix for all integration packages")
+    ap.add_argument("--repo-root", type=Path, default=_SCRIPT_DIR.parents[1])
+    ap.add_argument(
+        "--reports-dir",
+        type=Path,
+        default=_SCRIPT_DIR / "out",
+        help="Directory with target_fields_audit.csv, destination_identity_hits.csv, etc.",
+    )
+    ap.add_argument(
+        "--output",
+        type=Path,
+        default=_SCRIPT_DIR / "out" / "packages_stakeholder_matrix.csv",
+    )
+    args = ap.parse_args()
+
+    repo = args.repo_root.resolve()
+    packages_dir = repo / "packages"
+    reports = args.reports_dir.resolve()
+
+    all_packages = sorted(p.name for p in packages_dir.iterdir() if p.is_dir())
+    if len(all_packages) != 445:
+        print(f"warn: expected 445 packages, found {len(all_packages)}", file=sys.stderr)
+
+    security = manifest_util.security_package_names(packages_dir)
+    observability = manifest_util.package_names_with_category(packages_dir, "observability")
+    pkg_categories = manifest_util.load_package_categories(packages_dir)
+
+    _, tier_a, tier_bc_only = load_audit_packages(reports / "target_fields_audit.csv")
+    dest_strategy = load_packages_from_csv_column(reports / "destination_identity_hits.csv")
+    vendor_target = load_vendor_namespaced_packages(
+        reports / "vendor_target_special_cases.csv"
+    )
+
+    rows: list[dict[str, str]] = []
+    for pkg in all_packages:
+        dest_y = "Y" if pkg in dest_strategy else "N"
+        rows.append(
+            {
+                "package": pkg,
+                "security category": "Y" if pkg in security else "N",
+                "observability category": "Y" if pkg in observability else "N",
+                "other catalog categories": manifest_util.other_categories_label(
+                    pkg_categories.get(pkg, [])
+                ),
+                "graph visualization support": graph_support(
+                    pkg, tier_a, tier_bc_only, dest_strategy, vendor_target
+                ),
+                "new strategy support (destination field)": dest_y,
+                "support verified": "N",
+            }
+        )
+
+    out = args.output.resolve()
+    out.parent.mkdir(parents=True, exist_ok=True)
+    fieldnames = [
+        "package",
+        "security category",
+        "observability category",
+        "graph visualization support",
+        "new strategy support (destination field)",
+        "support verified",
+        "other catalog categories",
+    ]
+    with out.open("w", encoding="utf-8", newline="") as f:
+        w = csv.DictWriter(f, fieldnames=fieldnames)
+        w.writeheader()
+        w.writerows(rows)
+
+    # Summary to stderr
+    g_counts = {"supported": 0, "identified potential": 0, "missing": 0}
+    for r in rows:
+        g_counts[r["graph visualization support"]] += 1
+    print(f"Wrote {len(rows)} rows -> {out}")
+    print(f"security Y: {sum(1 for r in rows if r['security category']=='Y')}")
+    print(f"observability Y: {sum(1 for r in rows if r['observability category']=='Y')}")
+    print(f"destination strategy Y: {sum(1 for r in rows if r['new strategy support (destination field)']=='Y')}")
+    print(f"graph support: {g_counts}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/dev/target-fields-audit/vendor_target_scan.py b/dev/target-fields-audit/vendor_target_scan.py
new file mode 100644
index 00000000000..ecb941a203e
--- /dev/null
+++ b/dev/target-fields-audit/vendor_target_scan.py
@@ -0,0 +1,495 @@
+#!/usr/bin/env python3
+"""
+Per-integration scan for *target* semantics outside core ECS *.target.* fields.
+
+Captures:
+  - Vendor / integration namespaced dotted paths (e.g. okta.target, canva.audit.target.id)
+  - Ingest pipeline references (target_field / field / copy_from) with "target" in the path
+  - Pipeline test *expected.json keys when they look like dotted field paths with "target"
+
+Does not fully parse all YAML shapes; focuses on Elastic integration conventions.
+"""
+
+from __future__ import annotations
+
+import argparse
+import csv
+import re
+import subprocess
+import sys
+from collections import defaultdict
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+
+SCRIPT_DIR = Path(__file__).resolve().parent
+if str(SCRIPT_DIR) not in sys.path:
+    sys.path.insert(0, str(SCRIPT_DIR))
+
+import scan as sc  # noqa: E402
+import manifest_util  # noqa: E402
+
+# Pipeline: processor keys that carry dotted field paths.
+RE_PIPELINE_ASSIGN = re.compile(
+    r"(?i)(?:target_field|field|copy_from)\s*:\s*([a-z0-9_.]+)",
+)
+
+# Fully-qualified - name: in fields YAML (single-line path).
+RE_FIELDS_FLAT_NAME = re.compile(
+    r"(?i)^\s*-\s*name:\s*([a-z0-9_]+(?:\.[a-z0-9_]+)+)\s*(?:#|$)",
+)
+
+MAX_FIELDS_LINES = 50_000
+MAX_JSON_BYTES = 350_000
+
+MAX_PIPELINE_LINES = 80_000
+
+# JSON: linear scan of quoted keys (avoid regex backtracking on huge fixtures).
+RE_JSON_ANY_KEY = re.compile(r'"([A-Za-z0-9_.]{1,200})"\s*:')
+
+
+def strip_yaml_line_comment(line: str) -> str:
+    idx = line.find(" #")
+    return line[:idx] if idx != -1 else line
+
+
+def path_has_target_token(path: str) -> bool:
+    p = path.lower()
+    if "target" not in p:
+        return False
+    for seg in p.split("."):
+        if "target" in seg:
+            return True
+    return False
+
+
+def first_segment(path: str) -> str:
+    return path.split(".", 1)[0].lower() if path else ""
+
+
+def classify_namespace(pkg: str, path: str) -> str:
+    fs = first_segment(path)
+    if fs in (
+        "source",
+        "destination",
+        "host",
+        "user",
+        "event",
+        "process",
+        "file",
+        "registry",
+        "threat",
+        "dns",
+        "url",
+        "network",
+        "client",
+        "server",
+        "observer",
+        "ecs",
+        "labels",
+        "tags",
+        "message",
+        "log",
+        "cloud",
+        "organization",
+        "orchestrator",
+        "container",
+        "kubernetes",
+        "agent",
+    ):
+        return "ecs_top_level"
+    if fs == pkg.replace("-", "_"):
+        return "vendor_root"
+    if path.lower().startswith(pkg.lower().replace("-", "_") + "."):
+        return "vendor_namespaced"
+    return "other_vendor_or_nested"
+
+
+def suggest_bucket(path: str) -> str:
+    pl = path.lower()
+    if any(
+        x in pl
+        for x in (
+            "user",
+            "principal",
+            "identity",
+            "upn",
+            "username",
+            "actor",
+            "impersonat",
+        )
+    ):
+        return "likely_user_target_or_entity"
+    if any(x in pl for x in ("host", "hostname", "device", "instance", "computer")):
+        return "likely_host_target_or_entity"
+    if any(x in pl for x in ("service", "application", "app_id", "bucket", "function")):
+        return "likely_service_target_or_entity"
+    return "entity_target_generic"
+
+
+@dataclass
+class Hit:
+    package: str
+    data_stream: str
+    source: str  # fields_yml | ingest_pipeline | expected_json
+    file: str
+    line: int
+    field_path: str
+    namespace_class: str
+    suggest_bucket: str
+
+
+def parse_data_stream(rel_parts: list[str]) -> str:
+    try:
+        i = rel_parts.index("data_stream")
+        if i + 1 < len(rel_parts):
+            return rel_parts[i + 1]
+    except ValueError:
+        pass
+    return ""
+
+
+MAX_FIELDS_FILE_BYTES = 15_000_000
+
+
+def fields_yml_hits(pkg: str, path: Path, rel: str) -> list[Hit]:
+    """Stack-based path builder for common integration fields YAML."""
+    hits: list[Hit] = []
+    parts = rel.split("/")
+    ds = parse_data_stream(parts)
+    try:
+        if path.stat().st_size > MAX_FIELDS_FILE_BYTES:
+            return hits
+        lines = path.read_text(encoding="utf-8", errors="replace").splitlines()
+    except OSError:
+        return hits
+    if len(lines) > MAX_FIELDS_LINES:
+        lines = lines[:MAX_FIELDS_LINES]
+
+    stack: list[tuple[int, str]] = []
+
+    for i, raw in enumerate(lines, start=1):
+        line = strip_yaml_line_comment(raw)
+        if not line.strip():
+            continue
+        mflat = RE_FIELDS_FLAT_NAME.match(line)
+        if mflat:
+            full = mflat.group(1)
+            if path_has_target_token(full):
+                nc = classify_namespace(pkg, full)
+                hits.append(
+                    Hit(
+                        pkg,
+                        ds,
+                        "fields_yml_flat",
+                        rel,
+                        i,
+                        full,
+                        nc,
+                        suggest_bucket(full),
+                    )
+                )
+            continue
+
+        m = re.match(r"^(\s*)-\s*name:\s*([^\s#]+?)\s*$", line)
+        if not m:
+            continue
+        indent = len(m.group(1).replace("\t", "    "))
+        name = m.group(2).strip()
+        if not name or name == ".":
+            continue
+
+        while stack and stack[-1][0] >= indent:
+            stack.pop()
+        parent = stack[-1][1] if stack else ""
+        if parent:
+            full = f"{parent}.{name}" if not name.startswith(".") else f"{parent}{name}"
+        else:
+            full = name
+        stack.append((indent, full))
+
+        if "." in full and path_has_target_token(full):
+            nc = classify_namespace(pkg, full)
+            hits.append(
+                Hit(
+                    pkg,
+                    ds,
+                    "fields_yml_nested",
+                    rel,
+                    i,
+                    full,
+                    nc,
+                    suggest_bucket(full),
+                )
+            )
+    return hits
+
+
+def ingest_pipeline_hits(pkg: str, path: Path, rel: str) -> list[Hit]:
+    hits: list[Hit] = []
+    parts = rel.split("/")
+    ds = parse_data_stream(parts)
+    try:
+        lines = path.read_text(encoding="utf-8", errors="replace").splitlines()
+    except OSError:
+        return hits
+    if len(lines) > MAX_PIPELINE_LINES:
+        lines = lines[:MAX_PIPELINE_LINES]
+
+    for i, raw in enumerate(lines, start=1):
+        line = strip_yaml_line_comment(raw)
+        if sc.should_skip_line(line, False):
+            continue
+        for m in RE_PIPELINE_ASSIGN.finditer(line):
+            val = m.group(1)
+            if "target" not in val.lower():
+                continue
+            nc = classify_namespace(pkg, val)
+            hits.append(
+                Hit(
+                    pkg,
+                    ds,
+                    "ingest_pipeline",
+                    rel,
+                    i,
+                    val,
+                    nc,
+                    suggest_bucket(val),
+                )
+            )
+    return hits
+
+
+def expected_json_hits(pkg: str, path: Path, rel: str) -> list[Hit]:
+    hits: list[Hit] = []
+    parts = rel.split("/")
+    ds = parse_data_stream(parts)
+    try:
+        sz = path.stat().st_size
+        n = min(sz, MAX_JSON_BYTES)
+        raw = path.read_bytes()[:n].decode("utf-8", errors="replace")
+    except OSError:
+        return hits
+
+    for m in RE_JSON_ANY_KEY.finditer(raw):
+        key = m.group(1)
+        if "target" not in key.lower():
+            continue
+        nc = classify_namespace(pkg, key)
+        hits.append(
+            Hit(
+                pkg,
+                ds,
+                "expected_json",
+                rel,
+                0,
+                key,
+                nc,
+                suggest_bucket(key),
+            )
+        )
+    return hits
+
+
+def git_head(repo: Path) -> str:
+    try:
+        return subprocess.check_output(
+            ["git", "-C", str(repo), "rev-parse", "HEAD"],
+            stderr=subprocess.DEVNULL,
+            text=True,
+        ).strip()
+    except (subprocess.CalledProcessError, FileNotFoundError):
+        return "unknown"
+
+
+def iter_scan_paths(pkg_dir: Path) -> list[Path]:
+    """Only paths that can contain field defs, pipelines, or pipeline tests."""
+    paths: list[Path] = []
+    globs = [
+        "data_stream/**/fields/**/*.yml",
+        "data_stream/**/elasticsearch/ingest_pipeline/*.yml",
+        "data_stream/**/elasticsearch/ingest_pipeline/*.yaml",
+        "data_stream/**/_dev/test/pipeline/*-expected.json",
+        "data_stream/**/_dev/test/pipeline/*.log-expected.json",
+        "fields/**/*.yml",
+    ]
+    for pattern in globs:
+        paths.extend(pkg_dir.glob(pattern))
+    return paths
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description="Vendor / integration *target* field scan")
+    ap.add_argument("--repo-root", type=Path, default=SCRIPT_DIR.parents[1])
+    ap.add_argument("--output-dir", type=Path, default=SCRIPT_DIR / "out")
+    ap.add_argument(
+        "--security-only",
+        action="store_true",
+        help="Only include packages whose root manifest.yml lists category `security`",
+    )
+    args = ap.parse_args()
+
+    repo = args.repo_root.resolve()
+    packages = repo / "packages"
+    if not packages.is_dir():
+        print(f"error: {packages}", file=sys.stderr)
+        return 1
+
+    sec_set: set[str] | None = None
+    if args.security_only:
+        sec_set = manifest_util.security_package_names(packages)
+
+    all_hits: list[Hit] = []
+    packages_in_scope = 0
+    for pkg_dir in sorted(packages.iterdir()):
+        if not pkg_dir.is_dir():
+            continue
+        pkg = pkg_dir.name
+        if sec_set is not None and pkg not in sec_set:
+            continue
+        packages_in_scope += 1
+        for path in iter_scan_paths(pkg_dir):
+            if not path.is_file():
+                continue
+            rel = str(path.relative_to(repo)).replace("\\", "/")
+            if "/fields/" in rel and rel.endswith(".yml"):
+                all_hits.extend(fields_yml_hits(pkg, path, rel))
+            elif "/elasticsearch/ingest_pipeline/" in rel and rel.endswith((".yml", ".yaml")):
+                all_hits.extend(ingest_pipeline_hits(pkg, path, rel))
+            elif "/_dev/test/pipeline/" in rel and (
+                rel.endswith("-expected.json") or rel.endswith(".log-expected.json")
+            ):
+                all_hits.extend(expected_json_hits(pkg, path, rel))
+
+    # Dedupe identical (package, field_path, source file) keeping lowest line
+    dedup: dict[tuple[str, str, str, str], Hit] = {}
+    for h in all_hits:
+        k = (h.package, h.field_path, h.source, h.file)
+        if k not in dedup or (h.line and dedup[k].line and h.line < dedup[k].line):
+            dedup[k] = h
+    hits = sorted(dedup.values(), key=lambda x: (x.package, x.field_path, x.file, x.line))
+
+    out_dir = args.output_dir.resolve()
+    out_dir.mkdir(parents=True, exist_ok=True)
+    csv_path = out_dir / "vendor_target_special_cases.csv"
+    md_path = out_dir / "vendor_target_special_cases_report.md"
+
+    with csv_path.open("w", encoding="utf-8", newline="") as f:
+        w = csv.writer(f)
+        w.writerow(
+            [
+                "package",
+                "data_stream",
+                "source",
+                "file",
+                "line",
+                "field_path",
+                "namespace_class",
+                "suggest_bucket",
+            ]
+        )
+        for h in hits:
+            w.writerow(
+                [
+                    h.package,
+                    h.data_stream,
+                    h.source,
+                    h.file,
+                    h.line,
+                    h.field_path,
+                    h.namespace_class,
+                    h.suggest_bucket,
+                ]
+            )
+
+    # Per-package summary
+    pkg_fields: dict[str, set[str]] = defaultdict(set)
+    pkg_sources: dict[str, set[str]] = defaultdict(set)
+    for h in hits:
+        pkg_fields[h.package].add(h.field_path)
+        pkg_sources[h.package].add(h.source)
+
+    pkgs_with_vendor = {
+        p
+        for p, paths in pkg_fields.items()
+        for fp in paths
+        if classify_namespace(p, fp) in ("vendor_root", "vendor_namespaced")
+    }
+
+    ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+    sha = git_head(repo)
+
+    by_ns: dict[str, int] = defaultdict(int)
+    for h in hits:
+        by_ns[h.namespace_class] += 1
+
+    md_head: list[str] = [
+        "# Vendor / integration `*target*` special cases",
+        "",
+        f"- **git HEAD:** `{sha}`",
+        f"- **generated (UTC):** {ts}",
+        f"- **integration packages in scope:** {packages_in_scope}",
+    ]
+    if args.security_only:
+        md_head.extend(
+            [
+                "- **filter:** Only integrations whose root `packages/<name>/manifest.yml` includes the `security` category.",
+                "",
+            ]
+        )
+    md_head.extend(
+        [
+            f"- **deduplicated field hits:** {len(hits)}",
+            f"- **unique packages with any hit:** {len(pkg_fields)}",
+            f"- **unique packages with vendor-namespaced `*target*` paths:** {len(pkgs_with_vendor)}",
+            "",
+            "## What was scanned",
+            "",
+            "| Surface | Scope |",
+            "| --- | --- |",
+            "| `fields/**/*.yml` | Flat `- name: a.b.target...` and nested `- name:` stack paths containing `target`. |",
+            "| `elasticsearch/ingest_pipeline/*.{yml,yaml}` | `target_field`, `field`, `copy_from` values containing `target`. |",
+            "| `*_dev/test/pipeline/*expected.json` | Quoted dotted JSON keys containing `target` (truncated read). |",
+            "",
+            "## Namespace classification",
+            "",
+            "| `namespace_class` | Meaning |",
+            "| --- | --- |",
+            "| `vendor_root` / `vendor_namespaced` | First path segment matches the integration package slug (e.g. `okta.target`). |",
+            "| `ecs_top_level` | Starts with common ECS top-level field (e.g. `file.target_path`). |",
+            "| `other_vendor_or_nested` | Other dotted paths (nested vendor, transforms, rare shapes). |",
+            "",
+            "## `suggest_bucket` (heuristic only)",
+            "",
+            "Keyword-based guess for runtime `CASE` prioritisation — **not** a product mapping decision.",
+            "",
+            "## Counts by namespace_class",
+            "",
+        ]
+    )
+    md = md_head
+    for k in sorted(by_ns.keys(), key=lambda x: -by_ns[x]):
+        md.append(f"- **{k}:** {by_ns[k]}")
+    md.append("")
+    md.append("## Machine-readable outputs")
+    md.append("")
+    md.append(f"- All hits: [`vendor_target_special_cases.csv`]({csv_path.name})")
+    md.append(f"- Triage playbook: [`../VENDOR_TARGET_ANALYSIS_PLAN.md`](../VENDOR_TARGET_ANALYSIS_PLAN.md)")
+    md.append("")
+    md.append("## Packages with most distinct `field_path` values (top 25)")
+    md.append("")
+    ranked = sorted(pkg_fields.items(), key=lambda kv: (-len(kv[1]), kv[0]))[:25]
+    md.append("| package | distinct_field_paths |")
+    md.append("| --- | ---: |")
+    for p, s in ranked:
+        md.append(f"| {p} | {len(s)} |")
+    md_path.write_text("\n".join(md), encoding="utf-8")
+
+    print(f"Wrote {len(hits)} hits -> {csv_path}")
+    print(f"Wrote {md_path}")
+    print(f"Packages with any hit: {len(pkg_fields)}, vendor-namespaced: {len(pkgs_with_vendor)}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())