diff --git a/doc_templates/endpoint/docs/CustomDocumentationREADME.md b/doc_templates/endpoint/docs/CustomDocumentationREADME.md
index 5d024aeab..7693771ea 100644
--- a/doc_templates/endpoint/docs/CustomDocumentationREADME.md
+++ b/doc_templates/endpoint/docs/CustomDocumentationREADME.md
@@ -2,7 +2,7 @@
 
 **This documentation is still beta**
 
-The subdirectories document all ECS fields that may exist in documents generated by Endpoint into
+These subdirectories document all ECS fields that may exist in documents generated by Elastic Defend (aka Endpoint) into
 logs and metrics datastreams. Only fields included by Endpoint are documented, those added during
 integration pipeline enrichment in Elasticsearch are not within the scope of this documentation.
 
@@ -10,3 +10,19 @@ Endpoint state management documents are described in a cross-platform way becaus
 identical on each OS. Events are documented per-OS. Documentation for each state management or event
 document includes the relevant OS(es), the data stream the document is found in, a KQL filter to
 match on the document, and all the fields associated with the document.
+
+The mapping between each directory/data stream and the Kibana feature name are:
+
+| Directory | Data Stream | Kibana feature | Note |
+| --------- | ----------- | -------------- | ---- |
+| alerts | `logs-endpoint.alerts-*` | Malware / Ransomware / Memory Threat / Malicious Behavior | | 
+| api | `logs-endpoint.events.api-*` | API events | |
+| file | `logs-endpoint.events.file-*` | File Events | |
+| library | `logs-endpoint.events.library-*` | DLL and Driver Load events | |
+| metadata | `metrics-endpoint.metadata-*` | | This is for internal state management documents |
+| metrics | `metrics-endpoint.metrics-*` | | This is for internal state management documents |
+| network | `logs-endpoint.events.network-*` | DNS and Network events | Both DNS and Network events share a single datastream |
+| policy | `metrics-endpoint.policy-*` | | This is for internal state management documents |
+| process | `logs-endpoint.events.process-*` | Process events | Session and Terminal Output data on Linux is included in this datastream |
+| registry | `logs-endpoint.events.registry-*` | Registry events | |
+| security | `logs-endpoint.events.security-*` | Security events | |