elastic · strawgate · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/changelog/fragments/1742774400-fix-typos-security-service-integrations.yaml b/changelog/fragments/1742774400-fix-typos-security-service-integrations.yaml
@@ -0,0 +1,3 @@
+kind: bug-fix
+summary: Fix typos in crowdstrike, o365, okta, and santa module docs and field descriptions
+component: filebeat
@@ -89,19 +89,19 @@ Fields that let you store information about the client of the actor.
 Fields about the user agent information of the client.
 
 **`okta.client.user_agent.raw_user_agent`**
-:   The raw informaton of the user agent.
+:   The raw information of the user agent.
 
     type: keyword
 
 
 **`okta.client.user_agent.os`**
-:   The OS informaton.
+:   The OS information.
 
     type: keyword
 
 
 **`okta.client.user_agent.browser`**
-:   The browser informaton of the client.
+:   The browser information of the client.
 
     type: keyword
 
@@ -295,7 +295,7 @@ The suspicious activity fields from the debug data.
 
 
 **`okta.debug_context.debug_data.suspicious_activity.os`**
-:   The OS of the system from where the suspicious activity occured.
+:   The OS of the system from where the suspicious activity occurred.
 
     type: keyword
 
@@ -341,7 +341,7 @@ Fields that let you store information about authentication context.
 
 
 **`okta.authentication_context.external_session_id`**
-:   The session identifer of the external session if any.
+:   The session identifier of the external session if any.
 
     type: keyword
 

@@ -65,7 +65,7 @@ When you specify a setting at the command line, remember to prefix the setting w
 
 ### `falcon` fileset settings [_falcon_fileset_settings]
 
-The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
+The fileset is by default configured to collect JSON formatted event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
 
 ```yaml
 var:

@@ -113,7 +113,7 @@ Once the required permissions are added, click the *Grant admin consent* button.
 
 #### Alternative endpoints [_alternative_endpoints]
 
-This module supports custom endpoints for on-prem deployments as well as alternative endpoints (GCC High endponts, U.S. DoD, European Union, etc). In order to point the module to an alternative endpoint, you need to adjust the `authentication_endpoint` and `resource` variables accordingly. For example:
+This module supports custom endpoints for on-prem deployments as well as alternative endpoints (GCC High endpoints, U.S. DoD, European Union, etc). In order to point the module to an alternative endpoint, you need to adjust the `authentication_endpoint` and `resource` variables accordingly. For example:
 
 ```yaml
     var.api:
@@ -157,7 +157,7 @@ This module supports custom endpoints for on-prem deployments as well as alterna
 
 #### Advanced configuration options [_advanced_configuration_options]
 
-The following configuration options are only recomended in case of problems. They must be nested under a single `var.api` key, like this:
+The following configuration options are only recommended in case of problems. They must be nested under a single `var.api` key, like this:
 
 ```yaml
     var.api:

@@ -412,7 +412,7 @@ filebeat.modules:
   log:
     enabled: false
     # Set custom paths for the log files. If left empty,
-    # Filebeat will choose the the default path.
+    # Filebeat will choose the default path.
     #var.paths:
 
 #------------------------------- Traefik Module -------------------------------

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -52275,7 +52275,7 @@ Fields about the user agent information of the client.
 *`okta.client.user_agent.raw_user_agent`*::
 +
 --
-The raw informaton of the user agent.
+The raw information of the user agent.
 
 
 type: keyword
@@ -52285,7 +52285,7 @@ type: keyword
 *`okta.client.user_agent.os`*::
 +
 --
-The OS informaton.
+The OS information.
 
 
 type: keyword
@@ -52295,7 +52295,7 @@ type: keyword
 *`okta.client.user_agent.browser`*::
 +
 --
-The browser informaton of the client.
+The browser information of the client.
 
 
 type: keyword
@@ -52620,7 +52620,7 @@ type: keyword
 *`okta.debug_context.debug_data.suspicious_activity.os`*::
 +
 --
-The OS of the system from where the suspicious activity occured.
+The OS of the system from where the suspicious activity occurred.
 
 
 type: keyword
@@ -52697,7 +52697,7 @@ type: array
 *`okta.authentication_context.external_session_id`*::
 +
 --
-The session identifer of the external session if any.
+The session identifier of the external session if any.
 
 
 type: keyword

diff --git a/filebeat/docs/modules/crowdstrike.asciidoc b/filebeat/docs/modules/crowdstrike.asciidoc
@@ -36,7 +36,7 @@ include::../include/config-option-intro.asciidoc[]
 [float]
 ==== `falcon` fileset settings
 
-The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
+The fileset is by default configured to collect JSON formatted event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
 
 ["source","yaml",subs="attributes"]
 -----

diff --git a/filebeat/docs/modules/o365.asciidoc b/filebeat/docs/modules/o365.asciidoc
@@ -104,7 +104,7 @@ right away.
 ===== Alternative endpoints
 
 This module supports custom endpoints for on-prem deployments as well as
-alternative endpoints (GCC High endponts, U.S. DoD, European Union, etc). In
+alternative endpoints (GCC High endpoints, U.S. DoD, European Union, etc). In
 order to point the module to an alternative endpoint, you need to adjust the
 `authentication_endpoint` and `resource` variables accordingly. For example:
 
@@ -163,7 +163,7 @@ known content-types:
 [float]
 ===== Advanced configuration options
 
-The following configuration options are only recomended in case of problems.
+The following configuration options are only recommended in case of problems.
 They must be nested under a single `var.api` key, like this:
 
 [source,yaml]

@@ -392,7 +392,7 @@ filebeat.modules:
   log:
     enabled: false
     # Set custom paths for the log files. If left empty,
-    # Filebeat will choose the the default path.
+    # Filebeat will choose the default path.
     #var.paths:
 
 #------------------------------- Traefik Module -------------------------------

@@ -2,5 +2,5 @@
   log:
     enabled: false
     # Set custom paths for the log files. If left empty,
-    # Filebeat will choose the the default path.
+    # Filebeat will choose the default path.
     #var.paths:
@@ -5,5 +5,5 @@
   log:
     enabled: false
     # Set custom paths for the log files. If left empty,
-    # Filebeat will choose the the default path.
+    # Filebeat will choose the default path.
     #var.paths:
@@ -1642,7 +1642,7 @@ filebeat.modules:
   log:
     enabled: false
     # Set custom paths for the log files. If left empty,
-    # Filebeat will choose the the default path.
+    # Filebeat will choose the default path.
     #var.paths:
 
 #--------------------------------- Snyk Module ---------------------------------

@@ -53,7 +53,7 @@ When you specify a setting at the command line, remember to prefix the setting w
 
 ### `falcon` fileset settings [_falcon_fileset_settings]
 
-The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
+The fileset is by default configured to collect JSON formatted event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
 
 ```yaml
 var:

@@ -101,7 +101,7 @@ Once the required permissions are added, click the *Grant admin consent* button.
 
 #### Alternative endpoints [_alternative_endpoints]
 
-This module supports custom endpoints for on-prem deployments as well as alternative endpoints (GCC High endponts, U.S. DoD, European Union, etc). In order to point the module to an alternative endpoint, you need to adjust the `authentication_endpoint` and `resource` variables accordingly. For example:
+This module supports custom endpoints for on-prem deployments as well as alternative endpoints (GCC High endpoints, U.S. DoD, European Union, etc). In order to point the module to an alternative endpoint, you need to adjust the `authentication_endpoint` and `resource` variables accordingly. For example:
 
 ```yaml
     var.api:
@@ -145,7 +145,7 @@ This module supports custom endpoints for on-prem deployments as well as alterna
 
 #### Advanced configuration options [_advanced_configuration_options]
 
-The following configuration options are only recomended in case of problems. They must be nested under a single `var.api` key, like this:
+The following configuration options are only recommended in case of problems. They must be nested under a single `var.api` key, like this:
 
 ```yaml
     var.api:

@@ -83,17 +83,17 @@
     - name: raw_user_agent
       type: keyword
       description: >
-        The raw informaton of the user agent.
+        The raw information of the user agent.
 
     - name: os
       type: keyword
       description: >
-        The OS informaton.
+        The OS information.
 
     - name: browser
       type: keyword
       description: >
-        The browser informaton of the client.
+        The browser information of the client.
 
   - name: zone
     type: keyword
@@ -297,7 +297,7 @@
         - name: os
           type: keyword
           description: >
-            The OS of the system from where the suspicious activity occured.
+            The OS of the system from where the suspicious activity occurred.
 
         - name: timestamp
           type: date
@@ -351,7 +351,7 @@
   - name: external_session_id
     type: keyword
     description: >
-      The session identifer of the external session if any.
+      The session identifier of the external session if any.
 
   - name: interface
     type: keyword
-Original file line number
+Diff line change
@@ Expand Up @@
     ### `falcon` fileset settings [_falcon_fileset_settings]
-    The fileset is by default configured to collect JSON formated event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
+    The fileset is by default configured to collect JSON formatted event data from `/var/log/crowdstrike/falconhoseclient/output`. It forwards DetectionSummaryEvent and IncidentSummaryEvent events.
     ```yaml
     var:
@@ Expand Down @@